9783fe3a07f7fb9fcb23c01d4ab9c6ea17f94c5336fd2233134b9bc6bf7d1e36

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.exe
Size

1.4MB
MD5

5e600b594c0110f0cc817b9f60f5fb92
SHA1

da93dc76c700609bf06d9356f6191ffb95a51298
SHA256

9783fe3a07f7fb9fcb23c01d4ab9c6ea17f94c5336fd2233134b9bc6bf7d1e36
SHA512

ab46eaa86016ab1b65dc116510b4c85bdcf16e686e6b6611308fe62ed39611f0a73eb7c2d2fa24668e226a8dc117626b13f93fd007906d18aa3f815982a7f775
SSDEEP

24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aK0dPJZKSbOttPPZZm9TkC3fm:ZTvC/MTQYxsWR7aK0dPJZKSbOLITkC3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2128	Quotation.exe
2128	Quotation.exe
2912	Quotation.exe
2912	Quotation.exe
2812	Quotation.exe
2812	Quotation.exe
884	Quotation.exe
884	Quotation.exe
2528	Quotation.exe
2528	Quotation.exe
2988	Quotation.exe
2988	Quotation.exe
2412	Quotation.exe
2412	Quotation.exe
2320	Quotation.exe
2320	Quotation.exe
2936	Quotation.exe
2936	Quotation.exe
1848	Quotation.exe
1848	Quotation.exe
2752	Quotation.exe
2752	Quotation.exe
1512	Quotation.exe
1512	Quotation.exe
2200	Quotation.exe
2200	Quotation.exe
2184	Quotation.exe
2184	Quotation.exe
1780	Quotation.exe
1780	Quotation.exe
1676	Quotation.exe
1676	Quotation.exe
1184	Quotation.exe
1184	Quotation.exe
592	Quotation.exe
592	Quotation.exe
2088	Quotation.exe
2088	Quotation.exe
1736	Quotation.exe
1736	Quotation.exe
1976	Quotation.exe
1976	Quotation.exe
1612	Quotation.exe
1612	Quotation.exe
1964	Quotation.exe
1964	Quotation.exe
2084	Quotation.exe
2084	Quotation.exe
276	Quotation.exe
276	Quotation.exe
1564	Quotation.exe
1564	Quotation.exe
2300	Quotation.exe
2300	Quotation.exe
2536	Quotation.exe
2536	Quotation.exe
2524	Quotation.exe
2524	Quotation.exe
1504	Quotation.exe
1504	Quotation.exe
1624	Quotation.exe
1624	Quotation.exe
2712	Quotation.exe
2712	Quotation.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2128	Quotation.exe
2128	Quotation.exe
2912	Quotation.exe
2912	Quotation.exe
2812	Quotation.exe
2812	Quotation.exe
884	Quotation.exe
884	Quotation.exe
2528	Quotation.exe
2528	Quotation.exe
2988	Quotation.exe
2988	Quotation.exe
2412	Quotation.exe
2412	Quotation.exe
2320	Quotation.exe
2320	Quotation.exe
2936	Quotation.exe
2936	Quotation.exe
1848	Quotation.exe
1848	Quotation.exe
2752	Quotation.exe
2752	Quotation.exe
1512	Quotation.exe
1512	Quotation.exe
2200	Quotation.exe
2200	Quotation.exe
2184	Quotation.exe
2184	Quotation.exe
1780	Quotation.exe
1780	Quotation.exe
1676	Quotation.exe
1676	Quotation.exe
1184	Quotation.exe
1184	Quotation.exe
592	Quotation.exe
592	Quotation.exe
2088	Quotation.exe
2088	Quotation.exe
1736	Quotation.exe
1736	Quotation.exe
1976	Quotation.exe
1976	Quotation.exe
1612	Quotation.exe
1612	Quotation.exe
1964	Quotation.exe
1964	Quotation.exe
2084	Quotation.exe
2084	Quotation.exe
276	Quotation.exe
276	Quotation.exe
1564	Quotation.exe
1564	Quotation.exe
2300	Quotation.exe
2300	Quotation.exe
2536	Quotation.exe
2536	Quotation.exe
2524	Quotation.exe
2524	Quotation.exe
1504	Quotation.exe
1504	Quotation.exe
1624	Quotation.exe
1624	Quotation.exe
2712	Quotation.exe
2712	Quotation.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2912	2128	Quotation.exe	30
PID 2128 wrote to memory of 2912	2128	Quotation.exe	30
PID 2128 wrote to memory of 2912	2128	Quotation.exe	30
PID 2128 wrote to memory of 2912	2128	Quotation.exe	30
PID 2912 wrote to memory of 2812	2912	Quotation.exe	31
PID 2912 wrote to memory of 2812	2912	Quotation.exe	31
PID 2912 wrote to memory of 2812	2912	Quotation.exe	31
PID 2912 wrote to memory of 2812	2912	Quotation.exe	31
PID 2812 wrote to memory of 884	2812	Quotation.exe	32
PID 2812 wrote to memory of 884	2812	Quotation.exe	32
PID 2812 wrote to memory of 884	2812	Quotation.exe	32
PID 2812 wrote to memory of 884	2812	Quotation.exe	32
PID 884 wrote to memory of 2528	884	Quotation.exe	33
PID 884 wrote to memory of 2528	884	Quotation.exe	33
PID 884 wrote to memory of 2528	884	Quotation.exe	33
PID 884 wrote to memory of 2528	884	Quotation.exe	33
PID 2528 wrote to memory of 2988	2528	Quotation.exe	34
PID 2528 wrote to memory of 2988	2528	Quotation.exe	34
PID 2528 wrote to memory of 2988	2528	Quotation.exe	34
PID 2528 wrote to memory of 2988	2528	Quotation.exe	34
PID 2988 wrote to memory of 2412	2988	Quotation.exe	35
PID 2988 wrote to memory of 2412	2988	Quotation.exe	35
PID 2988 wrote to memory of 2412	2988	Quotation.exe	35
PID 2988 wrote to memory of 2412	2988	Quotation.exe	35
PID 2412 wrote to memory of 2320	2412	Quotation.exe	36
PID 2412 wrote to memory of 2320	2412	Quotation.exe	36
PID 2412 wrote to memory of 2320	2412	Quotation.exe	36
PID 2412 wrote to memory of 2320	2412	Quotation.exe	36
PID 2320 wrote to memory of 2936	2320	Quotation.exe	37
PID 2320 wrote to memory of 2936	2320	Quotation.exe	37
PID 2320 wrote to memory of 2936	2320	Quotation.exe	37
PID 2320 wrote to memory of 2936	2320	Quotation.exe	37
PID 2936 wrote to memory of 1848	2936	Quotation.exe	38
PID 2936 wrote to memory of 1848	2936	Quotation.exe	38
PID 2936 wrote to memory of 1848	2936	Quotation.exe	38
PID 2936 wrote to memory of 1848	2936	Quotation.exe	38
PID 1848 wrote to memory of 2752	1848	Quotation.exe	39
PID 1848 wrote to memory of 2752	1848	Quotation.exe	39
PID 1848 wrote to memory of 2752	1848	Quotation.exe	39
PID 1848 wrote to memory of 2752	1848	Quotation.exe	39
PID 2752 wrote to memory of 1512	2752	Quotation.exe	40
PID 2752 wrote to memory of 1512	2752	Quotation.exe	40
PID 2752 wrote to memory of 1512	2752	Quotation.exe	40
PID 2752 wrote to memory of 1512	2752	Quotation.exe	40
PID 1512 wrote to memory of 2200	1512	Quotation.exe	41
PID 1512 wrote to memory of 2200	1512	Quotation.exe	41
PID 1512 wrote to memory of 2200	1512	Quotation.exe	41
PID 1512 wrote to memory of 2200	1512	Quotation.exe	41
PID 2200 wrote to memory of 2184	2200	Quotation.exe	42
PID 2200 wrote to memory of 2184	2200	Quotation.exe	42
PID 2200 wrote to memory of 2184	2200	Quotation.exe	42
PID 2200 wrote to memory of 2184	2200	Quotation.exe	42
PID 2184 wrote to memory of 1780	2184	Quotation.exe	43
PID 2184 wrote to memory of 1780	2184	Quotation.exe	43
PID 2184 wrote to memory of 1780	2184	Quotation.exe	43
PID 2184 wrote to memory of 1780	2184	Quotation.exe	43
PID 1780 wrote to memory of 1676	1780	Quotation.exe	44
PID 1780 wrote to memory of 1676	1780	Quotation.exe	44
PID 1780 wrote to memory of 1676	1780	Quotation.exe	44
PID 1780 wrote to memory of 1676	1780	Quotation.exe	44
PID 1676 wrote to memory of 1184	1676	Quotation.exe	45
PID 1676 wrote to memory of 1184	1676	Quotation.exe	45
PID 1676 wrote to memory of 1184	1676	Quotation.exe	45
PID 1676 wrote to memory of 1184	1676	Quotation.exe	45

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        5⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        6⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        7⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        8⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        10⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        11⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        13⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        14⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        15⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        16⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        17⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        18⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        20⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        21⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        22⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        23⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        24⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        26⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        27⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        28⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        30⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        31⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        32⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        34⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        35⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        36⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        37⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        38⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        39⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        42⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        43⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        44⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        46⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        48⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        49⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        50⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        52⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        54⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        55⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        57⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        58⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        59⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        60⤵
        
        PID:356
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        61⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        62⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        64⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        65⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        66⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        68⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        69⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        70⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        71⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        72⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        74⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        78⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        79⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        80⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        81⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        82⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        83⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        84⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        85⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        86⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        87⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        91⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        94⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        95⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        96⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        97⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        98⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        99⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        100⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        101⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        102⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        105⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        106⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        108⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        109⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        110⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        111⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        112⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        114⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        115⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        116⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        117⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        118⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        119⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        120⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        121⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        122⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        123⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        125⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        127⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        128⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        129⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        130⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        131⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        132⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        133⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        135⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        136⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        140⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        142⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        143⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        144⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        145⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        147⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        148⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        152⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        154⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        155⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        159⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        160⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        161⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        162⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        163⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        164⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        165⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        166⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        170⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        171⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        173⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        175⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        176⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        177⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        178⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        180⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        181⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        182⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        183⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        184⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        185⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        186⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        187⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        188⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        189⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        190⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        191⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        192⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        193⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        197⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        198⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        199⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        201⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        203⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        204⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        206⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        207⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        209⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        212⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        214⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        217⤵
        
        PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut55CE.tmp

Filesize
428KB

MD5
ae67b7cd896ed19f7bf64cf0611c2d77

SHA1
a0d5b19b773f7060548deeb22b6540182cbcb3cb

SHA256
90c981ad1351ddc51b79bc376a4e17e70cb540eef8b35a81ebebf739066e9251

SHA512
8f10f1e3ee1296bf1a2830b270cb1f1bcb5069dbf5d0e1cc414b72918d8d191e1f386170bb959b02e896291ed2fed98854a341f53adc81c588131e7018706a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut55FD.tmp

Filesize
42KB

MD5
75f8c0ba74f196ae7c34144cc42adb21

SHA1
6fd748a9006ee681d06fca48586829b47e21dce5

SHA256
1b3871c92935458c450afa1b7dab7c8b3e57d637691eef39354924d4ae08700a

SHA512
89f9616e38f7832c5c4df4bd31889c3f05335cfcc24cb0fdda7398a5060e1871da45b1f5155791e25002a54646efd034cd679bdf67358ea0f2a00bbe59e6e939

Download Submit
C:\Users\Admin\AppData\Local\Temp\electicism

Filesize
84KB

MD5
7ebf6078e8f3331829e33ab45284386e

SHA1
658ae7e72e7e2ac2ca60de2ce44d990e208ddc23

SHA256
6253784150c31e0f19e32624bbe3a376deab3502adb4721a31dc9ebd27a8b6f5

SHA512
644a865475879d19075371880cc5912ca8382b29a93ce3fa34520bc20417d34dab9a6aa433acc5bb21e0e019753075fac600fca8168fea73a281ffb65e891770

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonplacental

Filesize
128KB

MD5
931ce1486c32ea6eab5d6393d770800f

SHA1
adc9fdff75cf63018f7e3da331783286bb2daf5c

SHA256
9d6d7d920a205869f7ec42e0f9089405ec8d1c2a8b1230aa5e216a1af97af3f0

SHA512
bbfe2a3e99f478e8748a49e23465a626168669be94e483fbce6b4a89a5d257b651056b07a853710b61f78cd789728580aa96c2e9af91dc9e69e54af595297248

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonplacental

Filesize
483KB

MD5
aaca4cc881a1ece8828442f3f96dd2af

SHA1
a8347f629dbdfd6fad04e07464719d3368d95d4b

SHA256
7ba0334c5beaea06a1dbc9c0ca9ee35078b97ba2ad402578fddfe66f395be0f7

SHA512
4aac852b0851c5b52d055e988af454d35a81a2dcd435b62858cb002fa72c151e88de4e5558c431aebb4690401467fd1abca20ab67532b76d3cbc23f59e511858

Download Submit
memory/2128-11-0x00000000004F0000-0x00000000004F4000-memory.dmp

Filesize
16KB

Download