Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rDB_YAK_838327E.cmd

Overview

General Information

Sample name:rDB_YAK_838327E.cmd
Analysis ID:1627857
MD5:7103cba33be7a5c26d2f60a5c1efa0fd
SHA1:d6fe126b586ec1e6d1f270171702d7726ba02d3d
SHA256:1f3c62fca5bf7185f2b7db15042da223b9a95b01ac24d9fa217e297057486d1b
Tags:cmduser-Porcupine
Infos:

Detection

DBatLoader, Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Sigma detected: Suspicious Creation with Colorcpl
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2192 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rDB_YAK_838327E.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 1424 cmdline: extrac32 /y "C:\Users\user\Desktop\rDB_YAK_838327E.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • x.exe (PID: 5076 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 1C38DAD206EF3BA3F3D9695F67C0294B)
      • colorcpl.exe (PID: 5640 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
        • recover.exe (PID: 6252 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xrkt" MD5: D38B657A068016768CA9F3B5E100B472)
        • recover.exe (PID: 4052 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\atxlilk" MD5: D38B657A068016768CA9F3B5E100B472)
        • recover.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kndwjdukttx" MD5: D38B657A068016768CA9F3B5E100B472)
  • Ugisfxtz.PIF (PID: 4896 cmdline: "C:\Users\user\Links\Ugisfxtz.PIF" MD5: 1C38DAD206EF3BA3F3D9695F67C0294B)
    • SndVol.exe (PID: 7036 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Ugisfxtz.PIF (PID: 4148 cmdline: "C:\Users\user\Links\Ugisfxtz.PIF" MD5: 1C38DAD206EF3BA3F3D9695F67C0294B)
    • colorcpl.exe (PID: 4364 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["kavemarb99juyet1.duckdns.org:4688:0", "kavemarb99juyet1.duckdns.org:4689:1", "kavemarb99juyet2.duckdns.org:4689:0", "kavemarb99juyet3.duckdns.org:4689:0", "kavemarb99juyet4.duckdns.org:4689:0", "kavemarb99juyet5.duckdns.org:4689:0"], "Assigned name": "YAKCMD", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "shslokuybwg-BKAP0P", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "myq.ocx", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "6", "Copy folder": "Remcos", "Keylog folder": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\myq.ocxJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.2516763955.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000004.00000002.2347317719.000000007FB00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 42 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.2.colorcpl.exe.31790000.5.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                6.3.colorcpl.exe.315f26a0.11.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  13.2.recover.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    6.2.colorcpl.exe.7180000.3.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      6.2.colorcpl.exe.7180000.3.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        Click to see the 78 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Suspicious Creation with Colorcpl
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 5640, TargetFilename: C:\Users\user\AppData\Roaming\myq.ocx
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Ugisfxtz.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 5076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ugisfxtz
                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\Links\Ugisfxtz.PIF" , CommandLine: "C:\Users\user\Links\Ugisfxtz.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\user\Links\Ugisfxtz.PIF, NewProcessName: C:\Users\user\Links\Ugisfxtz.PIF, OriginalFileName: C:\Users\user\Links\Ugisfxtz.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\user\Links\Ugisfxtz.PIF" , ProcessId: 4896, ProcessName: Ugisfxtz.PIF

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-03T10:01:35.430937+010020327761Malware Command and Control Activity Detected192.168.2.649783172.94.126.474688TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-03T10:01:36.180740+010020327771Malware Command and Control Activity Detected172.94.126.474688192.168.2.649783TCP
                        2025-03-03T10:04:04.256016+010020327771Malware Command and Control Activity Detected172.94.126.474688192.168.2.649783TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-03T10:01:37.083277+010028033043Unknown Traffic192.168.2.649790178.237.33.5080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\Users\user\Links\Ugisfxtz.PIFAvira: detection malicious, Label: HEUR/AGEN.1326095
                        Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: HEUR/AGEN.1326095
                        Found malware configuration
                        Source: 9.2.SndVol.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["kavemarb99juyet1.duckdns.org:4688:0", "kavemarb99juyet1.duckdns.org:4689:1", "kavemarb99juyet2.duckdns.org:4689:0", "kavemarb99juyet3.duckdns.org:4689:0", "kavemarb99juyet4.duckdns.org:4689:0", "kavemarb99juyet5.duckdns.org:4689:0"], "Assigned name": "YAKCMD", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "shslokuybwg-BKAP0P", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "myq.ocx", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "6", "Copy folder": "Remcos", "Keylog folder": ""}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 44%
                        Source: C:\Users\user\Links\Ugisfxtz.PIFReversingLabs: Detection: 44%
                        Multi AV Scanner detection for submitted file
                        Source: rDB_YAK_838327E.cmdVirustotal: Detection: 27%Perma Link
                        Source: rDB_YAK_838327E.cmdReversingLabs: Detection: 28%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\myq.ocx, type: DROPPED
                        Joe Sandbox ML detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_00433B64
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B4823 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_071B4823
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_00433B64
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05154823 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_05154823
                        Source: colorcpl.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00406ABC _wcslen,CoGetObject,6_2_00406ABC
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00406ABC _wcslen,CoGetObject,9_2_00406ABC
                        Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521160715.0000000031824000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.2516763955.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                        Source: Binary string: C:\vmagent_new\bin\joblist\416325\out\Release\EaInstHelper.pdb source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmp
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029352F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,4_2_029352F8
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_004090DC
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B6B5
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041C7E5
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B8BA
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0044E989 FindFirstFileExA,6_2_0044E989
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_00408CDE
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00419CEE
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407EDD
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00406F13 FindFirstFileW,FindNextFileW,6_2_00406F13
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0718C579 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0718C579
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0718C374 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0718C374
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07188B9C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_07188B9C
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719A9AD FindFirstFileW,6_2_0719A9AD
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071CF648 FindFirstFileExA,6_2_071CF648
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719D4A4 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0719D4A4
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07189D9B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_07189D9B
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07187BD2 FindFirstFileW,FindNextFileW,6_2_07187BD2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0718999D __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_0718999D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_054910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_054910F1
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_05496580 FindFirstFileExA,6_2_05496580
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,9_2_004090DC
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040B6B5
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,9_2_0041C7E5
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040B8BA
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0044E989 FindFirstFileExA,9_2_0044E989
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,9_2_00408CDE
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419CEE
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,9_2_00407EDD
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00406F13 FindFirstFileW,FindNextFileW,9_2_00406F13
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0512C579 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0512C579
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0512C374 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0512C374
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513A9AD FindFirstFileW,9_2_0513A9AD
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05128B9C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,9_2_05128B9C
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513D4A4 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,9_2_0513D4A4
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0516F648 FindFirstFileExA,9_2_0516F648
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05129D9B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,9_2_05129D9B
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0512999D __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,9_2_0512999D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05127BD2 FindFirstFileW,FindNextFileW,9_2_05127BD2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00407357

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49783 -> 172.94.126.47:4688
                        Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 172.94.126.47:4688 -> 192.168.2.6:49783
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: kavemarb99juyet1.duckdns.org
                        Source: Malware configuration extractorURLs: kavemarb99juyet1.duckdns.org
                        Source: Malware configuration extractorURLs: kavemarb99juyet2.duckdns.org
                        Source: Malware configuration extractorURLs: kavemarb99juyet3.duckdns.org
                        Source: Malware configuration extractorURLs: kavemarb99juyet4.duckdns.org
                        Source: Malware configuration extractorURLs: kavemarb99juyet5.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: kavemarb99juyet1.duckdns.org
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: KEMINETAL KEMINETAL
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49790 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00404574 WaitForSingleObject,SetEvent,recv,6_2_00404574
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                        Source: colorcpl.exe, 00000006.00000002.4755424256.0000000005460000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                        Source: colorcpl.exe, 00000006.00000002.4755424256.0000000005460000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                        Source: recover.exe, 0000000D.00000002.2517417441.0000000004A09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                        Source: recover.exe, 0000000D.00000002.2517417441.0000000004A09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                        Source: colorcpl.exe, 00000006.00000003.2464561625.0000000003444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ted:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                        Source: colorcpl.exe, 00000006.00000003.2464561625.0000000003444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ted:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                        Source: global trafficDNS traffic detected: DNS query: kavemarb99juyet1.duckdns.org
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                        Source: colorcpl.exe, 00000006.00000003.2520874945.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520445252.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2371060750.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.000000000342D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                        Source: colorcpl.exe, 00000006.00000003.2520874945.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520445252.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2371060750.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.000000000342D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/j
                        Source: colorcpl.exe, colorcpl.exe, 00000006.00000003.2520874945.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2371060750.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752638021.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521351534.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520874945.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520445252.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.0000000003405000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520445252.0000000003412000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.0000000003405000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2371060750.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.000000000342D000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, bhv8238.tmp.13.drString found in binary or memory: http://geoplugin.net/json.gp
                        Source: colorcpl.exe, 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: colorcpl.exe, 00000006.00000003.2371060750.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521351534.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520874945.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.0000000003405000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520445252.0000000003412000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.0000000003405000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.0000000003415000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpLZ
                        Source: colorcpl.exe, 00000006.00000003.2371060750.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.0000000003405000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpN
                        Source: colorcpl.exe, 00000006.00000003.2371060750.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp_
                        Source: colorcpl.exe, 00000006.00000003.2371060750.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.0000000003405000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpa
                        Source: colorcpl.exe, 00000006.00000003.2371060750.0000000003415000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.0000000003405000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497991322.0000000003405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpal
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0:
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0H
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0I
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0Q
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0S
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0a
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.360.cn
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: bhv8238.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0~
                        Source: colorcpl.exe, 00000006.00000002.4755424256.0000000005460000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                        Source: colorcpl.exe, 00000006.00000002.4755424256.0000000005460000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000003.2502064831.000000000389D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000F.00000003.2502110970.000000000389D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                        Source: colorcpl.exe, 00000006.00000002.4755424256.0000000005460000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                        Source: recover.exe, 0000000F.00000003.2502064831.000000000389D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000F.00000003.2502110970.000000000389D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.compData
                        Source: colorcpl.exe, 00000006.00000002.4755424256.0000000005460000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                        Source: recover.exe, 0000000D.00000002.2516886927.0000000002994000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                        Source: recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/03
                        Source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
                        Source: colorcpl.exe, 00000006.00000002.4755424256.0000000005460000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000F.00000002.2502369504.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: bhv8238.tmp.13.drString found in binary or memory: https://www.office.com/

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,000000006_2_00409D1E
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,6_2_0040B158
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_0041696E
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719762D OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_0719762D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_0041696E
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513762D OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_0513762D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,6_2_0040B158
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_2_00409E4A
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\myq.ocx, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041CF2D SystemParametersInfoW,6_2_0041CF2D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719DBEC SystemParametersInfoW,6_2_0719DBEC
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0041CF2D SystemParametersInfoW,9_2_0041CF2D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513DBEC SystemParametersInfoW,9_2_0513DBEC

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02943380 NtWriteVirtualMemory,4_2_02943380
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02943034 NtAllocateVirtualMemory,4_2_02943034
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02949654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,4_2_02949654
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02949738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,4_2_02949738
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02946AE0 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,4_2_02946AE0
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0294421C GetThreadContext,SetThreadContext,NtResumeThread,4_2_0294421C
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0294421A GetThreadContext,SetThreadContext,NtResumeThread,4_2_0294421A
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02943032 NtAllocateVirtualMemory,4_2_02943032
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029495CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,4_2_029495CC
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02949578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,4_2_02949578
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0294399C NtProtectVirtualMemory,4_2_0294399C
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,6_2_00418267
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041C077 OpenProcess,NtSuspendProcess,CloseHandle,6_2_0041C077
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041C0A3 OpenProcess,NtResumeProcess,CloseHandle,6_2_0041C0A3
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07198F26 CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,6_2_07198F26
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719CD36 OpenProcess,NtSuspendProcess,CloseHandle,6_2_0719CD36
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719CD62 OpenProcess,NtResumeProcess,CloseHandle,6_2_0719CD62
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719E987 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,6_2_0719E987
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02906AE0 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,8_2_02906AE0
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02903380 NtWriteVirtualMemory,8_2_02903380
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02903034 NtAllocateVirtualMemory,8_2_02903034
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02909738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,8_2_02909738
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_0290421A Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,8_2_0290421A
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_0290421C Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,8_2_0290421C
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02903A34 NtProtectVirtualMemory,8_2_02903A34
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02909809 NtQueryInformationFile,NtReadFile,NtClose,8_2_02909809
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02903032 NtAllocateVirtualMemory,8_2_02903032
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_0290399C NtProtectVirtualMemory,8_2_0290399C
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02909654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,8_2_02909654
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_0290341B NtWriteVirtualMemory,8_2_0290341B
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_029095CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,8_2_029095CC
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_02909578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,8_2_02909578
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513E987 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,9_2_0513E987
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0294A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,4_2_0294A634
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_00416861
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07197520 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_07197520
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_00416861
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05137520 ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_05137520
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029320B44_2_029320B4
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0042809D6_2_0042809D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0045412B6_2_0045412B
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004421C06_2_004421C0
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004281D76_2_004281D7
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0043E1E06_2_0043E1E0
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041E29B6_2_0041E29B
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004373DA6_2_004373DA
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004383806_2_00438380
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004534726_2_00453472
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0042747E6_2_0042747E
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0043E43D6_2_0043E43D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004325A16_2_004325A1
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041F8096_2_0041F809
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004279F56_2_004279F5
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0044DAD96_2_0044DAD9
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00433C736_2_00433C73
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00413CA06_2_00413CA0
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0043DD826_2_0043DD82
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00435F526_2_00435F52
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0043DFB16_2_0043DFB1
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071CE7986_2_071CE798
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071A86B46_2_071A86B4
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071A04C86_2_071A04C8
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071A813D6_2_071A813D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071D41316_2_071D4131
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B80996_2_071B8099
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719EF5A6_2_0719EF5A
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071C2E7F6_2_071C2E7F
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071BEE9F6_2_071BEE9F
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071A8E966_2_071A8E96
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071A8D5C6_2_071A8D5C
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071D4DEA6_2_071D4DEA
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B6C116_2_071B6C11
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071BEC706_2_071BEC70
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071BEA416_2_071BEA41
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B49326_2_071B4932
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719495F6_2_0719495F
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B32606_2_071B3260
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B903F6_2_071B903F
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071BF0FC6_2_071BF0FC
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0549B5C16_2_0549B5C1
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_054A71946_2_054A7194
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: 8_2_028F20B48_2_028F20B4
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0042809D9_2_0042809D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0045412B9_2_0045412B
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004421C09_2_004421C0
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004281D79_2_004281D7
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0043E1E09_2_0043E1E0
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0041E29B9_2_0041E29B
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004373DA9_2_004373DA
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004383809_2_00438380
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004534729_2_00453472
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0042747E9_2_0042747E
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0043E43D9_2_0043E43D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004325A19_2_004325A1
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0041F8099_2_0041F809
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004279F59_2_004279F5
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0044DAD99_2_0044DAD9
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00433C739_2_00433C73
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00413CA09_2_00413CA0
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0043DD829_2_0043DD82
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00435F529_2_00435F52
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0043DFB19_2_0043DFB1
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051404C89_2_051404C8
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0516E7989_2_0516E798
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051486B49_2_051486B4
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051741319_2_05174131
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0514813D9_2_0514813D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051580999_2_05158099
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05148D5C9_2_05148D5C
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05174DEA9_2_05174DEA
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05156C119_2_05156C11
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0515EC709_2_0515EC70
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513EF5A9_2_0513EF5A
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05162E7F9_2_05162E7F
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05148E969_2_05148E96
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0515EE9F9_2_0515EE9F
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051549329_2_05154932
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513495F9_2_0513495F
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0515EA419_2_0515EA41
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0515903F9_2_0515903F
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0515F0FC9_2_0515F0FC
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051532609_2_05153260
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02943E20 appears 54 times
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02943E9C appears 45 times
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02934414 appears 246 times
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 0293457C appears 827 times
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 0293421C appears 64 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 004351E0 appears 55 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 071B578E appears 43 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00434ACF appears 43 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00401F96 appears 49 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00401EBF appears 32 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 071B5E9F appears 55 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 07182DD6 appears 39 times
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00402117 appears 41 times
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: String function: 028F457C appears 566 times
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: String function: 02903E20 appears 48 times
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: String function: 028F4414 appears 154 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 004351E0 appears 55 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05155E9F appears 55 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00434ACF appears 43 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00401F96 appears 49 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 05122DD6 appears 39 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 0515578E appears 43 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00401EBF appears 32 times
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 00402117 appears 39 times
                        Source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winCMD@20/7@5/2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00417AD9
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07198798 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_07198798
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_00417AD9
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05138798 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_05138798
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293793A GetDiskFreeSpaceA,4_2_0293793A
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02946760 CreateToolhelp32Snapshot,4_2_02946760
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,6_2_0041B9AB
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_0041AC43
                        Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\Links\Ugisfxtz.PIFJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\shslokuybwg-BKAP0P
                        Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
                        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\user\AppData\Local\Temp\CAB01424.TMPJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeSystem information queried: HandleInformationJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521160715.0000000031824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772817881.00000000318F0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464432145.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521160715.0000000031824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464432145.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464432145.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: recover.exe, 0000000D.00000002.2517461592.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2515401265.0000000004F3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521160715.0000000031824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                        Source: rDB_YAK_838327E.cmdVirustotal: Detection: 27%
                        Source: rDB_YAK_838327E.cmdReversingLabs: Detection: 28%
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rDB_YAK_838327E.cmd" "
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\rDB_YAK_838327E.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                        Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                        Source: unknownProcess created: C:\Users\user\Links\Ugisfxtz.PIF "C:\Users\user\Links\Ugisfxtz.PIF"
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                        Source: unknownProcess created: C:\Users\user\Links\Ugisfxtz.PIF "C:\Users\user\Links\Ugisfxtz.PIF"
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xrkt"
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\atxlilk"
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kndwjdukttx"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\rDB_YAK_838327E.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xrkt"Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\atxlilk"Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kndwjdukttx"Jump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: url.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????s?.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieproxy.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mssip32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: smartscreenps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???e???????????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??????????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: tquery.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: spp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: advapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppwmi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sppcext.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winscard.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sti.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: url.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ieframe.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: wkscli.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??????s?.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ieproxy.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: mssip32.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: smartscreenps.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ???e???????????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ???e???????????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??????????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ???.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ????.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: ??l.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: tquery.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: spp.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: vssapi.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFSection loaded: endpointdlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: rDB_YAK_838327E.cmdStatic file information: File size 1625627 > 1048576
                        Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521160715.0000000031824000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.2516763955.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                        Source: Binary string: C:\vmagent_new\bin\joblist\416325\out\Release\EaInstHelper.pdb source: x.exe, 00000004.00000003.2291500219.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2323503161.000000002065A000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2345869038.000000007ECEF000.00000004.00001000.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        Yara detected DBatLoader
                        Source: Yara matchFile source: 4.2.x.exe.2930000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.2347317719.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02943E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,4_2_02943E20
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029562A4 push 0295630Fh; ret 4_2_02956307
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02933210 push eax; ret 4_2_0293324C
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029560AC push 02956125h; ret 4_2_0295611D
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0294A018 push ecx; mov dword ptr [esp], edx4_2_0294A01D
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0294606C push 029460A4h; ret 4_2_0294609C
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293C1F4 push 0293C61Eh; ret 4_2_0293C616
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029561F8 push 02956288h; ret 4_2_02956280
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02956144 push 029561ECh; ret 4_2_029561E4
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293617A push 029361BEh; ret 4_2_029361B6
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293617C push 029361BEh; ret 4_2_029361B6
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293F600 push 0293F64Dh; ret 4_2_0293F645
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293C498 push 0293C61Eh; ret 4_2_0293C616
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293F4F4 push 0293F56Ah; ret 4_2_0293F562
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02942410 push ecx; mov dword ptr [esp], edx4_2_02942412
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293F5FF push 0293F64Dh; ret 4_2_0293F645
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02955504 push 029556E0h; ret 4_2_029556D8
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02942EDC push 02942F87h; ret 4_2_02942F7F
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02942EDA push 02942F87h; ret 4_2_02942F7F
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293BE18 push ecx; mov dword ptr [esp], edx4_2_0293BE1D
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02943F84 push 02943FBCh; ret 4_2_02943FB4
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02949FB4 push ecx; mov dword ptr [esp], edx4_2_02949FB9
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02935D9E push 02935DFBh; ret 4_2_02935DF3
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02935DA0 push 02935DFBh; ret 4_2_02935DF3
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293CDE0 push 0293CE0Ch; ret 4_2_0293CE04
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02943D40 push 02943D82h; ret 4_2_02943D7A
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004570CF push ecx; ret 6_2_004570E2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00435226 push ecx; ret 6_2_00435239
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0045D9ED push esi; ret 6_2_0045D9F6
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00457A00 push eax; ret 6_2_00457A1E
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071D86BF push eax; ret 6_2_071D86DD
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B5EE5 push ecx; ret 6_2_071B5EF8

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\Links\Ugisfxtz.PIFJump to dropped file
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004062E2 ShellExecuteW,URLDownloadToFileW,6_2_004062E2
                        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\Links\Ugisfxtz.PIFJump to dropped file
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_0041AC43
                        Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UgisfxtzJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UgisfxtzJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029464E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_029464E4
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_0041A941
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_0719B600
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_0041A941
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_0513B600
                        Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 824Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 8837Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: foregroundWindowGot 1746Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-102246
                        Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 9.2 %
                        Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 3.3 %
                        Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6324Thread sleep time: -60500s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5376Thread sleep time: -2472000s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5376Thread sleep time: -26511000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_029352F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,4_2_029352F8
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_004090DC
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B6B5
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041C7E5
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B8BA
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0044E989 FindFirstFileExA,6_2_0044E989
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_00408CDE
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00419CEE
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407EDD
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00406F13 FindFirstFileW,FindNextFileW,6_2_00406F13
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0718C579 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0718C579
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0718C374 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0718C374
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07188B9C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_07188B9C
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719A9AD FindFirstFileW,6_2_0719A9AD
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071CF648 FindFirstFileExA,6_2_071CF648
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0719D4A4 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0719D4A4
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07189D9B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_07189D9B
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07187BD2 FindFirstFileW,FindNextFileW,6_2_07187BD2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0718999D __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_0718999D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_054910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_054910F1
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_05496580 FindFirstFileExA,6_2_05496580
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,9_2_004090DC
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040B6B5
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,9_2_0041C7E5
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040B8BA
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0044E989 FindFirstFileExA,9_2_0044E989
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,9_2_00408CDE
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419CEE
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,9_2_00407EDD
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00406F13 FindFirstFileW,FindNextFileW,9_2_00406F13
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0512C579 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0512C579
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0512C374 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0512C374
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513A9AD FindFirstFileW,9_2_0513A9AD
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05128B9C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,9_2_05128B9C
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0513D4A4 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,9_2_0513D4A4
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0516F648 FindFirstFileExA,9_2_0516F648
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05129D9B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,9_2_05129D9B
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0512999D __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,9_2_0512999D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05127BD2 FindFirstFileW,FindNextFileW,9_2_05127BD2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00407357
                        Source: recover.exe, 0000000D.00000003.2514682781.0000000004F31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0Vhp
                        Source: x.exe, 00000004.00000002.2306245246.00000000007F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
                        Source: colorcpl.exe, 00000006.00000003.2464561625.0000000003444000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2371140961.0000000003444000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.0000000003444000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520874945.0000000003444000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520445252.0000000003444000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2497405371.0000000003444000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2521351534.0000000003444000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: bhv8238.tmp.13.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                        Source: colorcpl.exe, 00000006.00000002.4752638021.00000000033E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                        Source: Ugisfxtz.PIF, 00000008.00000002.2403710839.00000000005FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
                        Source: Ugisfxtz.PIF, 0000000B.00000002.2481130880.00000000007D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_4-22738
                        Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_6-102908
                        Source: C:\Users\user\Links\Ugisfxtz.PIFAPI call chain: ExitProcess graph end node
                        Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0294A5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,4_2_0294A5B0
                        Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043B88D
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02943E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,4_2_02943E20
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004438F4 mov eax, dword ptr fs:[00000030h]6_2_004438F4
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07181126 mov eax, dword ptr fs:[00000030h]6_2_07181126
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_07181126 mov eax, dword ptr fs:[00000030h]6_2_07181126
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071C45B3 mov eax, dword ptr fs:[00000030h]6_2_071C45B3
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_05494AB4 mov eax, dword ptr fs:[00000030h]6_2_05494AB4
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_004438F4 mov eax, dword ptr fs:[00000030h]9_2_004438F4
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05121126 mov eax, dword ptr fs:[00000030h]9_2_05121126
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05121126 mov eax, dword ptr fs:[00000030h]9_2_05121126
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_051645B3 mov eax, dword ptr fs:[00000030h]9_2_051645B3
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,6_2_00411999
                        Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00435398
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043B88D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00434D6E
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00434F01 SetUnhandledExceptionFilter,6_2_00434F01
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071BC54C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_071BC54C
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B6057 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_071B6057
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B5BC0 SetUnhandledExceptionFilter,6_2_071B5BC0
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_071B5A2D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_071B5A2D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_05492639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_05492639
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_054960E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_054960E2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_05492B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_05492B1C
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00435398
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0043B88D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434D6E
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_00434F01 SetUnhandledExceptionFilter,9_2_00434F01
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_0515C54C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0515C54C
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05156057 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_05156057
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05155BC0 SetUnhandledExceptionFilter,9_2_05155BC0
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: 9_2_05155A2D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_05155A2D

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 7180000 protect: page execute and read and writeJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 5120000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00418267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,6_2_00418267
                        Creates a thread in another existing process (thread injection)
                        Source: C:\Users\user\AppData\Local\Temp\x.exeThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 71815BCJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFThread created: C:\Windows\SysWOW64\SndVol.exe EIP: 51215BCJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 7180000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 5120000 value starts with: 4D5AJump to behavior
                        Maps a DLL or memory area into another process
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                        Sample uses process hollowing technique
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 7180000Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2A9A008Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2AF4008Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 313C008Jump to behavior
                        Source: C:\Users\user\Links\Ugisfxtz.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 5120000Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004197D9 mouse_event,6_2_004197D9
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\rDB_YAK_838327E.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\xrkt"Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\atxlilk"Jump to behavior
                        Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kndwjdukttx"Jump to behavior
                        Source: colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                        Source: colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGL
                        Source: colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
                        Source: colorcpl.exe, 00000006.00000003.2497991322.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2464561625.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managere
                        Source: colorcpl.exe, 00000006.00000003.2464561625.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerneer
                        Source: colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager#
                        Source: colorcpl.exe, 00000006.00000003.2520874945.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2520445252.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: colorcpl.exe, 00000006.00000003.2497991322.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr]
                        Source: colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                        Source: colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageres }
                        Source: colorcpl.exe, 00000006.00000002.4752885939.000000000342D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.4752885939.0000000003415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: colorcpl.exe, 00000006.00000003.2464561625.000000000342D000.00000004.00000020.00020000.00000000.sdmp, myq.ocx.6.drBinary or memory string: [Program Manager]
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_00435034 cpuid 6_2_00435034
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,4_2_029354BC
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,4_2_0293A0B8
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,4_2_0293A104
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,4_2_029355C8
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_004520E2
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_00452097
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_0045217D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,6_2_0040F26B
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_0045220A
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_0044844E
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,6_2_0045245A
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_00452583
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,6_2_0045268A
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00452757
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,6_2_00448937
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_00451E1F
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_071D2E3C
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_071D2EC9
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_071D2D56
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_071D2DA1
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_071D2ADE
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,6_2_071C95F6
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_071D3416
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,6_2_071D3349
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_071D3242
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,6_2_071D3119
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,6_2_071C910D
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,6_2_0718FF2A
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_028F54BC
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: GetLocaleInfoA,8_2_028FA104
                        Source: C:\Users\user\Links\Ugisfxtz.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_028F55C7
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_004520E2
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_00452097
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_0045217D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,9_2_0040F26B
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_0045220A
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_0044844E
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,9_2_0045245A
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00452583
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,9_2_0045268A
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00452757
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,9_2_00448937
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,9_2_00451E1F
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_05172D56
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_05172DA1
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_05172E3C
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_05172EC9
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,9_2_05172ADE
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,9_2_051695F6
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_05173416
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,9_2_05173119
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,9_2_0516910D
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,9_2_05173349
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_05173242
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,9_2_0512FF2A
                        Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02938B38 GetLocalTime,4_2_02938B38
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02949F00 GetUserNameA,4_2_02949F00
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 6_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_004491DA
                        Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_0293B038 GetVersionExA,4_2_0293B038
                        Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\myq.ocx, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_0040B59B
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data9_2_0040B59B
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_0040B6B5
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db6_2_0040B6B5
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\9_2_0040B6B5
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db9_2_0040B6B5
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Tries to steal Instant Messenger accounts or passwords
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                        Yara detected WebBrowserPassView password recovery tool
                        Source: Yara matchFile source: 6.2.colorcpl.exe.31790000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.3.colorcpl.exe.315f26a0.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.3.colorcpl.exe.315f26a0.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.3.colorcpl.exe.315f26a0.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.3.colorcpl.exe.315f26a0.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.3.colorcpl.exe.315f26a0.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.3.colorcpl.exe.315f26a0.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.31790000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000D.00000002.2516763955.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2496181551.00000000318F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2521024701.0000000031B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2521089638.0000000031A55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2496591271.0000000031591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2478603866.000000003179F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2521229038.00000000319A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4772691610.0000000031790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2520685430.00000000315F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2498082588.00000000318F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2521160715.0000000031824000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000003.2520343856.0000000031591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: recover.exe PID: 6252, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.7180000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.5120000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.71818bf.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SndVol.exe.51218bf.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2403852969.0000000005120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4749337631.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2403177094.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.4755736828.0000000007180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 5640, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7036, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\myq.ocx, type: DROPPED
                        Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe6_2_00405091
                        Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe9_2_00405091

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure1
                        Valid Accounts                        		2
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Shared Modules                        		1
                        Valid Accounts                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		111
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts1
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Valid Accounts                        		1
                        DLL Side-Loading                        		1
                        Credentials in Registry                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Service Execution                        		1
                        Registry Run Keys / Startup Folder                        		11
                        Access Token Manipulation                        		1
                        Bypass User Account Control                        		3
                        Credentials In Files                        		3
                        File and Directory Discovery                        		Distributed Component Object Model111
                        Input Capture                        		22
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                        Windows Service                        		11
                        Masquerading                        		LSA Secrets37
                        System Information Discovery                        		SSH3
                        Clipboard Data                        		Fallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts712
                        Process Injection                        		1
                        Valid Accounts                        		Cached Domain Credentials231
                        Security Software Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                        Registry Run Keys / Startup Folder                        		2
                        Virtualization/Sandbox Evasion                        		DCSync2
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Access Token Manipulation                        		Proc Filesystem4
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt712
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627857 Sample: rDB_YAK_838327E.cmd Startdate: 03/03/2025 Architecture: WINDOWS Score: 100 46 kavemarb99juyet1.duckdns.org 2->46 48 geoplugin.net 2->48 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 84 8 other signatures 2->84 9 cmd.exe 1 2->9         started        11 Ugisfxtz.PIF 2->11         started        14 Ugisfxtz.PIF 2->14         started        signatures3 82 Uses dynamic DNS services 46->82 process4 signatures5 16 x.exe 1 2 9->16         started        20 extrac32.exe 8 9->20         started        22 conhost.exe 9->22         started        86 Antivirus detection for dropped file 11->86 88 Multi AV Scanner detection for dropped file 11->88 90 Writes to foreign memory regions 11->90 92 3 other signatures 11->92 24 SndVol.exe 11->24         started        26 colorcpl.exe 14->26         started        process6 file7 40 C:\Users\user\Links\Ugisfxtz.PIF, PE32 16->40 dropped 54 Antivirus detection for dropped file 16->54 56 Multi AV Scanner detection for dropped file 16->56 58 Drops PE files with a suspicious file extension 16->58 68 5 other signatures 16->68 28 colorcpl.exe 6 14 16->28         started        42 C:\Users\user\AppData\Local\Temp\x.exe, PE32 20->42 dropped 60 Contains functionality to bypass UAC (CMSTPLUA) 24->60 62 Contains functionalty to change the wallpaper 24->62 64 Contains functionality to steal Chrome passwords or cookies 24->64 66 Contains functionality to steal Firefox passwords or cookies 24->66 signatures8 process9 dnsIp10 50 kavemarb99juyet1.duckdns.org 172.94.126.47, 4688, 49783, 49789 KEMINETAL United States 28->50 52 geoplugin.net 178.237.33.50, 49790, 80 ATOM86-ASATOM86NL Netherlands 28->52 44 C:\Users\user\AppData\Roaming\myq.ocx, data 28->44 dropped 94 Contains functionality to bypass UAC (CMSTPLUA) 28->94 96 Contains functionalty to change the wallpaper 28->96 98 Contains functionality to steal Chrome passwords or cookies 28->98 100 6 other signatures 28->100 33 recover.exe 1 28->33         started        36 recover.exe 1 28->36         started        38 recover.exe 2 28->38         started        file11 signatures12 process13 signatures14 70 Tries to steal Instant Messenger accounts or passwords 33->70 72 Tries to harvest and steal browser information (history, passwords, etc) 33->72 74 Tries to steal Mail credentials (via file / registry access) 36->74

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.