a4db55ecd4786cdaff0f833730beb50a9bfedf7926bcde505691348abdec1efa

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.exe
Size

1.4MB
MD5

5e600b594c0110f0cc817b9f60f5fb92
SHA1

da93dc76c700609bf06d9356f6191ffb95a51298
SHA256

9783fe3a07f7fb9fcb23c01d4ab9c6ea17f94c5336fd2233134b9bc6bf7d1e36
SHA512

ab46eaa86016ab1b65dc116510b4c85bdcf16e686e6b6611308fe62ed39611f0a73eb7c2d2fa24668e226a8dc117626b13f93fd007906d18aa3f815982a7f775
SSDEEP

24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aK0dPJZKSbOttPPZZm9TkC3fm:ZTvC/MTQYxsWR7aK0dPJZKSbOLITkC3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2580	Quotation.exe
2580	Quotation.exe
2376	Quotation.exe
2376	Quotation.exe
2868	Quotation.exe
2868	Quotation.exe
2460	Quotation.exe
2460	Quotation.exe
2756	Quotation.exe
2756	Quotation.exe
2720	Quotation.exe
2720	Quotation.exe
2740	Quotation.exe
2740	Quotation.exe
2620	Quotation.exe
2620	Quotation.exe
2872	Quotation.exe
2872	Quotation.exe
2592	Quotation.exe
2592	Quotation.exe
1700	Quotation.exe
1700	Quotation.exe
492	Quotation.exe
492	Quotation.exe
1724	Quotation.exe
1724	Quotation.exe
1244	Quotation.exe
1244	Quotation.exe
2244	Quotation.exe
2244	Quotation.exe
2700	Quotation.exe
2700	Quotation.exe
404	Quotation.exe
404	Quotation.exe
1296	Quotation.exe
1296	Quotation.exe
1012	Quotation.exe
1012	Quotation.exe
2504	Quotation.exe
2504	Quotation.exe
1636	Quotation.exe
1636	Quotation.exe
568	Quotation.exe
568	Quotation.exe
2076	Quotation.exe
2076	Quotation.exe
1872	Quotation.exe
1872	Quotation.exe
1588	Quotation.exe
1588	Quotation.exe
2372	Quotation.exe
2372	Quotation.exe
2296	Quotation.exe
2296	Quotation.exe
2752	Quotation.exe
2752	Quotation.exe
2728	Quotation.exe
2728	Quotation.exe
2632	Quotation.exe
2632	Quotation.exe
2608	Quotation.exe
2608	Quotation.exe
2300	Quotation.exe
2300	Quotation.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2580	Quotation.exe
2580	Quotation.exe
2376	Quotation.exe
2376	Quotation.exe
2868	Quotation.exe
2868	Quotation.exe
2460	Quotation.exe
2460	Quotation.exe
2756	Quotation.exe
2756	Quotation.exe
2720	Quotation.exe
2720	Quotation.exe
2740	Quotation.exe
2740	Quotation.exe
2620	Quotation.exe
2620	Quotation.exe
2872	Quotation.exe
2872	Quotation.exe
2592	Quotation.exe
2592	Quotation.exe
1700	Quotation.exe
1700	Quotation.exe
492	Quotation.exe
492	Quotation.exe
1724	Quotation.exe
1724	Quotation.exe
1244	Quotation.exe
1244	Quotation.exe
2244	Quotation.exe
2244	Quotation.exe
2700	Quotation.exe
2700	Quotation.exe
404	Quotation.exe
404	Quotation.exe
1296	Quotation.exe
1296	Quotation.exe
1012	Quotation.exe
1012	Quotation.exe
2504	Quotation.exe
2504	Quotation.exe
1636	Quotation.exe
1636	Quotation.exe
568	Quotation.exe
568	Quotation.exe
2076	Quotation.exe
2076	Quotation.exe
1872	Quotation.exe
1872	Quotation.exe
1588	Quotation.exe
1588	Quotation.exe
2372	Quotation.exe
2372	Quotation.exe
2296	Quotation.exe
2296	Quotation.exe
2752	Quotation.exe
2752	Quotation.exe
2728	Quotation.exe
2728	Quotation.exe
2632	Quotation.exe
2632	Quotation.exe
2608	Quotation.exe
2608	Quotation.exe
2300	Quotation.exe
2300	Quotation.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2376	2580	Quotation.exe	30
PID 2580 wrote to memory of 2376	2580	Quotation.exe	30
PID 2580 wrote to memory of 2376	2580	Quotation.exe	30
PID 2580 wrote to memory of 2376	2580	Quotation.exe	30
PID 2376 wrote to memory of 2868	2376	Quotation.exe	31
PID 2376 wrote to memory of 2868	2376	Quotation.exe	31
PID 2376 wrote to memory of 2868	2376	Quotation.exe	31
PID 2376 wrote to memory of 2868	2376	Quotation.exe	31
PID 2868 wrote to memory of 2460	2868	Quotation.exe	32
PID 2868 wrote to memory of 2460	2868	Quotation.exe	32
PID 2868 wrote to memory of 2460	2868	Quotation.exe	32
PID 2868 wrote to memory of 2460	2868	Quotation.exe	32
PID 2460 wrote to memory of 2756	2460	Quotation.exe	33
PID 2460 wrote to memory of 2756	2460	Quotation.exe	33
PID 2460 wrote to memory of 2756	2460	Quotation.exe	33
PID 2460 wrote to memory of 2756	2460	Quotation.exe	33
PID 2756 wrote to memory of 2720	2756	Quotation.exe	34
PID 2756 wrote to memory of 2720	2756	Quotation.exe	34
PID 2756 wrote to memory of 2720	2756	Quotation.exe	34
PID 2756 wrote to memory of 2720	2756	Quotation.exe	34
PID 2720 wrote to memory of 2740	2720	Quotation.exe	35
PID 2720 wrote to memory of 2740	2720	Quotation.exe	35
PID 2720 wrote to memory of 2740	2720	Quotation.exe	35
PID 2720 wrote to memory of 2740	2720	Quotation.exe	35
PID 2740 wrote to memory of 2620	2740	Quotation.exe	36
PID 2740 wrote to memory of 2620	2740	Quotation.exe	36
PID 2740 wrote to memory of 2620	2740	Quotation.exe	36
PID 2740 wrote to memory of 2620	2740	Quotation.exe	36
PID 2620 wrote to memory of 2872	2620	Quotation.exe	37
PID 2620 wrote to memory of 2872	2620	Quotation.exe	37
PID 2620 wrote to memory of 2872	2620	Quotation.exe	37
PID 2620 wrote to memory of 2872	2620	Quotation.exe	37
PID 2872 wrote to memory of 2592	2872	Quotation.exe	38
PID 2872 wrote to memory of 2592	2872	Quotation.exe	38
PID 2872 wrote to memory of 2592	2872	Quotation.exe	38
PID 2872 wrote to memory of 2592	2872	Quotation.exe	38
PID 2592 wrote to memory of 1700	2592	Quotation.exe	40
PID 2592 wrote to memory of 1700	2592	Quotation.exe	40
PID 2592 wrote to memory of 1700	2592	Quotation.exe	40
PID 2592 wrote to memory of 1700	2592	Quotation.exe	40
PID 1700 wrote to memory of 492	1700	Quotation.exe	41
PID 1700 wrote to memory of 492	1700	Quotation.exe	41
PID 1700 wrote to memory of 492	1700	Quotation.exe	41
PID 1700 wrote to memory of 492	1700	Quotation.exe	41
PID 492 wrote to memory of 1724	492	Quotation.exe	42
PID 492 wrote to memory of 1724	492	Quotation.exe	42
PID 492 wrote to memory of 1724	492	Quotation.exe	42
PID 492 wrote to memory of 1724	492	Quotation.exe	42
PID 1724 wrote to memory of 1244	1724	Quotation.exe	43
PID 1724 wrote to memory of 1244	1724	Quotation.exe	43
PID 1724 wrote to memory of 1244	1724	Quotation.exe	43
PID 1724 wrote to memory of 1244	1724	Quotation.exe	43
PID 1244 wrote to memory of 2244	1244	Quotation.exe	44
PID 1244 wrote to memory of 2244	1244	Quotation.exe	44
PID 1244 wrote to memory of 2244	1244	Quotation.exe	44
PID 1244 wrote to memory of 2244	1244	Quotation.exe	44
PID 2244 wrote to memory of 2700	2244	Quotation.exe	45
PID 2244 wrote to memory of 2700	2244	Quotation.exe	45
PID 2244 wrote to memory of 2700	2244	Quotation.exe	45
PID 2244 wrote to memory of 2700	2244	Quotation.exe	45
PID 2700 wrote to memory of 404	2700	Quotation.exe	46
PID 2700 wrote to memory of 404	2700	Quotation.exe	46
PID 2700 wrote to memory of 404	2700	Quotation.exe	46
PID 2700 wrote to memory of 404	2700	Quotation.exe	46

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        5⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        6⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        7⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        9⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        10⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        11⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        12⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        13⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        14⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        15⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        20⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        21⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        23⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        24⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        25⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        26⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        27⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        28⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        29⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        30⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        31⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        32⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        33⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        35⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        36⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        37⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        38⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        41⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        42⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        43⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        44⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        45⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        49⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        50⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        51⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        53⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        54⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        55⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        56⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        59⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        61⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        62⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        63⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        64⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        65⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        66⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        67⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        68⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        72⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        74⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        76⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        78⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        79⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        80⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        81⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        83⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        84⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        85⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        86⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        89⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        90⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        92⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        94⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        95⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        96⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        98⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        100⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        104⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        106⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        107⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        108⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        109⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        111⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        113⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        116⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        117⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        120⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        121⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        122⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        126⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        129⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        130⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        131⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        132⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        133⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        134⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        136⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        137⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        140⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        141⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        142⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        143⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        144⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        145⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        148⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        149⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        151⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        152⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        158⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        161⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        163⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        164⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        165⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        166⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        167⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        169⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        171⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        172⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        173⤵
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autB654.tmp

Filesize
428KB

MD5
ae67b7cd896ed19f7bf64cf0611c2d77

SHA1
a0d5b19b773f7060548deeb22b6540182cbcb3cb

SHA256
90c981ad1351ddc51b79bc376a4e17e70cb540eef8b35a81ebebf739066e9251

SHA512
8f10f1e3ee1296bf1a2830b270cb1f1bcb5069dbf5d0e1cc414b72918d8d191e1f386170bb959b02e896291ed2fed98854a341f53adc81c588131e7018706a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB684.tmp

Filesize
42KB

MD5
75f8c0ba74f196ae7c34144cc42adb21

SHA1
6fd748a9006ee681d06fca48586829b47e21dce5

SHA256
1b3871c92935458c450afa1b7dab7c8b3e57d637691eef39354924d4ae08700a

SHA512
89f9616e38f7832c5c4df4bd31889c3f05335cfcc24cb0fdda7398a5060e1871da45b1f5155791e25002a54646efd034cd679bdf67358ea0f2a00bbe59e6e939

Download Submit
C:\Users\Admin\AppData\Local\Temp\electicism

Filesize
64KB

MD5
aedded0e5a7c46016327a71da9460eec

SHA1
c416eb4a05a3bb8e2c1f34efde4602f65f53b8c4

SHA256
7f01d8dead11388b7b0cf001d8512764f490500dd0864c3b94241b29ec818b32

SHA512
54af580500799145101a57961e28c20762716c08308fc434ef116c419e3a9ee47a0b8bbb1b48352d8c784c6cc67dd184a4a5ed3864ef5831ba6b4117ec4fed5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\electicism

Filesize
84KB

MD5
7ebf6078e8f3331829e33ab45284386e

SHA1
658ae7e72e7e2ac2ca60de2ce44d990e208ddc23

SHA256
6253784150c31e0f19e32624bbe3a376deab3502adb4721a31dc9ebd27a8b6f5

SHA512
644a865475879d19075371880cc5912ca8382b29a93ce3fa34520bc20417d34dab9a6aa433acc5bb21e0e019753075fac600fca8168fea73a281ffb65e891770

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonplacental

Filesize
483KB

MD5
aaca4cc881a1ece8828442f3f96dd2af

SHA1
a8347f629dbdfd6fad04e07464719d3368d95d4b

SHA256
7ba0334c5beaea06a1dbc9c0ca9ee35078b97ba2ad402578fddfe66f395be0f7

SHA512
4aac852b0851c5b52d055e988af454d35a81a2dcd435b62858cb002fa72c151e88de4e5558c431aebb4690401467fd1abca20ab67532b76d3cbc23f59e511858

Download Submit
memory/2580-11-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download