Windows Analysis Report new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

AV Detection:

Found malware configuration

Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "marketing@kyowasecurity.com.sg", "Password": "avKw1$991", "Host": "mail.kyowasecurity.com.sg"}

Multi AV Scanner detection for submitted file

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

ReversingLabs: Detection: 41%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\aUkURZiJ.exe

ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\aUkURZiJ.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49831 -> 113.197.35.43:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: USONYX-AS-APUSONYXPTELTDSG USONYX-AS-APUSONYXPTELTDSG

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49831 -> 113.197.35.43:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49831 -> 113.197.35.43:587

URLs found in memory or binary data

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp	String found in binary or memory: http://KpGsSw.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.524762835.0000000003112000.00000004.00000001.sdmp	String found in binary or memory: http://mail.kyowasecurity.com.sg
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248903417.000000000569E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248877687.00000000056A1000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248865129.000000000569E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292765423.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.285795268.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255044284.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261125302.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253788835.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253886398.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252653993.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252695500.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252577474.000000000569C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252494210.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252547005.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252614032.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252799955.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252653993.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252756029.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlrpQj
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253657790.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html8
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252494210.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252547005.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/j
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254671506.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers6
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261091046.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261061221.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersW
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254877068.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256055028.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTFks
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comVsF
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomF
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256209853.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256055028.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdrs
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed3sm
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiva
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292765423.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.285795268.0000000005660000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comttv
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtuta
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252725051.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252931728.000000000566F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comzana
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248100348.000000000569A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248045051.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248332429.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257088272.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257018883.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257184730.000000000566E000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/3sm
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.258256920.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257256254.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257951856.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257160579.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257050058.000000000569D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257213807.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257382975.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257294565.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257018883.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.249804536.0000000005663000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/OsI
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/VsF
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0y
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ch
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/OsI
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ks
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ms
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ys;
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248682275.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248549588.000000000569A000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248499503.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comD
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de.T
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deF
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.demM
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp	String found in binary or memory: https://gaOQV1SxHxPSyzn.com
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: mail.kyowasecurity.com.sg

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

.NET source code contains very large array initializations

Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.cs	Large array initialization: .cctor: array initializer size 11950
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.cs	Large array initialization: .cctor: array initializer size 11950
Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.cs	Large array initialization: .cctor: array initializer size 11950
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.cs	Large array initialization: .cctor: array initializer size 11950
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.cs	Large array initialization: .cctor: array initializer size 11950

Uses 32bit PE files

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_025598E8		0_2_025598E8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_02559790		0_2_02559790
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07083F40		0_2_07083F40
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07082D00		0_2_07082D00
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07085570		0_2_07085570
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088C18		0_2_07088C18
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0708D458		0_2_0708D458
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070864A0		0_2_070864A0
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07084B80		0_2_07084B80
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0708D928		0_2_0708D928
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07080040		0_2_07080040
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07087F40		0_2_07087F40
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07087F50		0_2_07087F50
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070897B1		0_2_070897B1
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070897D8		0_2_070897D8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0708DE50		0_2_0708DE50
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07083E9B		0_2_07083E9B
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07083EF1		0_2_07083EF1
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07085560		0_2_07085560
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0708C5B0		0_2_0708C5B0
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070885C8		0_2_070885C8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070885D8		0_2_070885D8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088C08		0_2_07088C08
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07083330		0_2_07083330
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07083340		0_2_07083340
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0708CB68		0_2_0708CB68
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07084B70		0_2_07084B70
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070863A0		0_2_070863A0
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070873A1		0_2_070873A1
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070873B0		0_2_070873B0
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_070863FB		0_2_070863FB
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088A40		0_2_07088A40
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088258		0_2_07088258
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088A50		0_2_07088A50
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088268		0_2_07088268
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0708F118		0_2_0708F118
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088800		0_2_07088800
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_07088810		0_2_07088810
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0CF10040		0_2_0CF10040
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0CF1210A		0_2_0CF1210A
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0CF14480		0_2_0CF14480
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0CF10006		0_2_0CF10006
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0CF122AA		0_2_0CF122AA
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_01122D50		5_2_01122D50
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_0112DFD8		5_2_0112DFD8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_01121FF0		5_2_01121FF0
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_01122618		5_2_01122618
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_01129DB8		5_2_01129DB8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011EC510		5_2_011EC510
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E5558		5_2_011E5558
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E1970		5_2_011E1970
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E0040		5_2_011E0040
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E78F8		5_2_011E78F8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E40E8		5_2_011E40E8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E0006		5_2_011E0006
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E4E50		5_2_011E4E50
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011E82F8		5_2_011E82F8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013E4800		5_2_013E4800
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013E3D2C		5_2_013E3D2C
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013E3EB8		5_2_013E3EB8
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013E4770		5_2_013E4770
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013E4750		5_2_013E4750
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013E47F3		5_2_013E47F3
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013E54F0		5_2_013E54F0
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_013ED800		5_2_013ED800

Sample file is different than original file name gathered from version info

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameuhljaIlIyVxZXxXUzeXkqULlxd.exe4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameuhljaIlIyVxZXxXUzeXkqULlxd.exe4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000000.243922147.000000000030C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.293338597.0000000006F70000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.518319405.0000000000ABC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameuhljaIlIyVxZXxXUzeXkqULlxd.exe4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Binary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: aUkURZiJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

ReversingLabs: Detection: 41%

Sample reads its own file content

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

File read: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe "C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe"
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe {path}
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe {path}			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Creates files inside the user directory

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

File created: C:\Users\user\AppData\Roaming\aUkURZiJ.exe

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

File created: C:\Users\user\AppData\Local\Temp\tmp8923.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/3@1/1

Reads ini files

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_01
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Mutant created: \Sessions\1\BaseNamedObjects\qhBPaQtUSZKpqqGhtcCkqEcA

.NET source code contains calls to encryption/decryption functions

Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Reads the hosts file

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

PE file contains a COM descriptor data directory

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 0_2_0028376A push ebp; retf		0_2_0028376B
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_00A3376A push ebp; retf		5_2_00A3376B
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_01127A37 push edi; retn 0000h		5_2_01127A39
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_011EBA50 pushfd ; retf		5_2_011EBDB9
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_0138E333 push eax; ret		5_2_0138E349
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Code function: 5_2_0138D95C push eax; ret		5_2_0138D95D

Binary contains a suspicious time stamp

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Static PE information: 0xAC6B97B1 [Wed Aug 31 16:45:37 2061 UTC]

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.63105429026
Source: initial sample	Static PE information: section name: .text entropy: 7.63105429026

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exe
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exe
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exe			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exe			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

File created: C:\Users\user\AppData\Roaming\aUkURZiJ.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.2799e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 4072	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 3280	Thread sleep time: -22136092888451448s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 1844	Thread sleep count: 3411 > 30			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 1844	Thread sleep count: 6409 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Window / User API: threadDelayed 3411			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Window / User API: threadDelayed 6409			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Queries a list of all running processes

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.520645254.00000000010ED000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Code function: 5_2_0112DFD8 LdrInitializeThunk,

5_2_0112DFD8

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Memory written: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Process created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe {path}			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3922928.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3806288.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517392444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.284209429.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.284592595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3922928.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3806288.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.517392444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.284209429.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.284592595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792, type: MEMORYSTR