Edit tour

Windows Analysis Report
z1QuotationSheetVSAA6656776.exe

Overview

General Information

Sample name:	z1QuotationSheetVSAA6656776.exe
Analysis ID:	1480054
MD5:	cfb41760f84e1e70bade0ca7394d424b
SHA1:	139d1068c52255526ec38fe7ce0c48c365492712
SHA256:	a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
Tags:	exe
Infos:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Mass process execution to delay analysis

Obfuscated command line found

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

PE / OLE file has an invalid certificate

Too many similar processes found

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

z1QuotationSheetVSAA6656776.exe (PID: 1180 cmdline: "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe" MD5: CFB41760F84E1E70BADE0CA7394D424B)

cmd.exe (PID: 7072 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7184 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7228 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7280 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7332 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7412 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7464 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7516 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7568 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7628 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7680 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7732 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7784 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7836 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7888 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7932 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7984 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8044 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8096 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8148 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7176 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7224 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7252 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7328 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3268 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7432 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7412 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7464 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7520 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7572 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7636 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7688 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7760 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7812 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7864 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7896 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7968 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8016 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8076 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8128 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8180 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2060 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7200 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3280 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7252 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7328 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7436 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7432 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7412 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7464 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7520 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7692 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7632 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7684 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7832 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7884 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7904 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7864 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7932 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7984 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8024 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8072 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8132 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7172 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3723865485.000000000061B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000006.00000002.3723865485.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000006.00000002.3724630520.0000000005631000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 1180	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: z1QuotationSheetVSAA6656776.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: z1QuotationSheetVSAA6656776.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Source: z1QuotationSheetVSAA6656776.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: z1QuotationSheetVSAA6656776.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_00406167 FindFirstFileA,FindClose,	6_2_00406167
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	6_2_00405705
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_00402688 FindFirstFileA,	6_2_00402688

Source: unknown

DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: z1QuotationSheetVSAA6656776.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: z1QuotationSheetVSAA6656776.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Code function: 6_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_004051BA

Source: Conhost.exe

Process created: 96

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z1QuotationSheetVSAA6656776.exe

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Code function: 6_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

6_2_0040322B

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_004049F9		6_2_004049F9
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_004064AE		6_2_004064AE

Source: z1QuotationSheetVSAA6656776.exe

Static PE information: invalid certificate

Source: z1QuotationSheetVSAA6656776.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.evad.winEXE@407/13@1/0

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

6_2_0040322B

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Code function: 6_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

6_2_00404486

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Code function: 6_2_0040205E CoCreateInstance,MultiByteToWideChar,

6_2_0040205E

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

File created: C:\Users\user\AppData\Local\Temp\nsu5B22.tmp

Jump to behavior

Source: z1QuotationSheetVSAA6656776.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z1QuotationSheetVSAA6656776.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

File read: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: z1QuotationSheetVSAA6656776.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.3724630520.0000000005631000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3723865485.000000000061B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3723865485.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 1180, type: MEMORYSTR

Obfuscated command line found

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Code function: 6_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

6_2_10001A5D

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Code function: 6_2_10002D20 push eax; ret

6_2_10002D4E

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	File created: C:\Users\user\AppData\Local\Temp\nsq5D76.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	File created: C:\Users\user\AppData\Local\Temp\nsq5D76.tmp\nsExec.dll			Jump to dropped file

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

RDTSC instruction interceptor: First address: 5B228AC second address: 5B228AC instructions: 0x00000000 rdtsc 0x00000002 cmp eax, ecx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F39C4DBBBD8h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq5D76.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq5D76.tmp\nsExec.dll			Jump to dropped file

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_00406167 FindFirstFileA,FindClose,	6_2_00406167
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	6_2_00405705
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Code function: 6_2_00402688 FindFirstFileA,	6_2_00402688

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	API call chain: ExitProcess graph end node			graph_6-4234
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	API call chain: ExitProcess graph end node			graph_6-4399

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

Code function: 6_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

6_2_10001A5D

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe

6_2_0040322B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	11 Process Injection	LSASS Memory	1 Time Based Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Time Based Evasion	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
z1QuotationSheetVSAA6656776.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z1QuotationSheetVSAA6656776.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
z1QuotationSheetVSAA6656776.exe