Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:Quotation.exe
Analysis ID:1640468
MD5:cb910250707d246104e047dac8317d41
SHA1:bc9a3cc3e61b9123738d7025e36e921aaf2260e8
SHA256:8455a4960b81bd908b3c73ccdd8e1b95630551bb8810be539aa20725ccd82079
Tags:exeuser-threatcat_ch
Infos:

Detection

DBatLoader, Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Creation with Colorcpl
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation.exe (PID: 8940 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: CB910250707D246104E047DAC8317D41)
    • cmd.exe (PID: 9044 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4140.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 9072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 8236 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • alpha.pif (PID: 7040 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 8440 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 9092 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\22183.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 9108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 9164 cmdline: ping 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • colorcpl.exe (PID: 8196 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
      • recover.exe (PID: 8436 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\cjuokcdbbgcjypgifkadlgabsyky" MD5: D38B657A068016768CA9F3B5E100B472)
      • recover.exe (PID: 8404 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fdhglvnuxouoivcuwvmxwtvktnthewt" MD5: D38B657A068016768CA9F3B5E100B472)
      • recover.exe (PID: 8384 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pfmz" MD5: D38B657A068016768CA9F3B5E100B472)
    • backgroundTaskHost.exe (PID: 9092 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca MD5: DA7063B17DBB8BBB3015351016868006)
  • Agcakrhb.PIF (PID: 6888 cmdline: "C:\Users\user\Links\Agcakrhb.PIF" MD5: CB910250707D246104E047DAC8317D41)
    • colorcpl.exe (PID: 6940 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • Agcakrhb.PIF (PID: 9140 cmdline: "C:\Users\user\Links\Agcakrhb.PIF" MD5: CB910250707D246104E047DAC8317D41)
    • SndVol.exe (PID: 6812 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["qwertyuioplkjhgfdsazxcvbnm.ydns.eu:20908:1"], "Assigned name": "MC", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-3GMLHL", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "chrome", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3742352194.000000001E243000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000014.00000002.1452122870.000000002C050000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 57 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Quotation.exe.23dab48.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
              9.3.colorcpl.exe.206726a0.14.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                9.2.colorcpl.exe.20810000.4.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  9.2.colorcpl.exe.20810000.4.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    16.2.recover.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                      Click to see the 44 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation.exe, ProcessId: 8940, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4140.cmd"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 9044, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 7040, ProcessName: alpha.pif
                      Sigma detected: Suspicious Creation with Colorcpl
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 8196, TargetFilename: C:\Users\user
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Agcakrhb.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Quotation.exe, ProcessId: 8940, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Agcakrhb
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4140.cmd"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 9044, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 7040, ProcessName: alpha.pif

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T11:03:05.171207+010020365941Malware Command and Control Activity Detected192.168.2.549720185.208.156.4520908TCP
                      2025-03-17T11:03:06.623115+010020365941Malware Command and Control Activity Detected192.168.2.549721185.208.156.4520908TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T11:03:06.576366+010028033043Unknown Traffic192.168.2.549722178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: qwertyuioplkjhgfdsazxcvbnm.ydns.euAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 9.2.colorcpl.exe.2820000.0.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["qwertyuioplkjhgfdsazxcvbnm.ydns.eu:20908:1"], "Assigned name": "MC", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-3GMLHL", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "chrome", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\Links\Agcakrhb.PIFReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted file
                      Source: Quotation.exeVirustotal: Detection: 38%Perma Link
                      Source: Quotation.exeReversingLabs: Detection: 34%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E243000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1452122870.000000002C050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E218000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1531833628.000000001B6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTR
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02853B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_02853B64
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C33B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,20_2_02C33B64
                      Source: Quotation.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02826ABC _wcslen,CoGetObject,9_2_02826ABC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C06ABC _wcslen,CoGetObject,20_2_02C06ABC
                      Source: Quotation.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345613239.0000000020990000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1344168957.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: Quotation.exe, 00000000.00000003.1269398248.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F070000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.1295642717.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F083000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdbUGP source: esentutl.exe, 0000000A.00000003.1278983273.00000000055C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000C.00000002.1299363348.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000E.00000000.1301281062.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.10.dr
                      Source: Binary string: easinvoker.pdbGCTL source: Quotation.exe, 00000000.00000003.1269398248.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F070000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.1295642717.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F083000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270613945.000000000090B000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270613945.000000000093A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdb source: esentutl.exe, 0000000A.00000003.1278983273.00000000055C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 0000000C.00000002.1299363348.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000E.00000000.1301281062.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.10.dr
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029D52F8
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028290DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,9_2_028290DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0282B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0282B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,9_2_0283C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0282B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0282B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0286E989 FindFirstFileExA,9_2_0286E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02827EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,9_2_02827EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02826F13 FindFirstFileW,FindNextFileW,9_2_02826F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02828CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,9_2_02828CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02839CEE FindFirstFileW,FindNextFileW,FindNextFileW,9_2_02839CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_201610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_201610F1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_20166580 FindFirstFileExA,9_2_20166580
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00180207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,12_2_00180207
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0018589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,12_2_0018589A
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00193E66 FindFirstFileW,FindNextFileW,FindClose,12_2_00193E66
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00184EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,12_2_00184EC1
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0017532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,12_2_0017532E
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0040B477 FindFirstFileW,FindNextFileW,16_2_0040B477
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,20_2_02C090DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C0B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_02C0B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C1C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,20_2_02C1C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C0B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_02C0B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C4E989 FindFirstFileExA,20_2_02C4E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C07EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,20_2_02C07EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C06F13 FindFirstFileW,FindNextFileW,20_2_02C06F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C08CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,20_2_02C08CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C19CEE FindFirstFileW,FindNextFileW,FindNextFileW,20_2_02C19CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02827357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_02827357

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49721 -> 185.208.156.45:20908
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49720 -> 185.208.156.45:20908
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: qwertyuioplkjhgfdsazxcvbnm.ydns.eu
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
                      Source: global trafficTCP traffic: 192.168.2.5:49720 -> 185.208.156.45:20908
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 185.208.156.45 185.208.156.45
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49722 -> 178.237.33.50:80
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02847321 recv,9_2_02847321
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: colorcpl.exe, 00000009.00000002.3742936389.0000000020130000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: recover.exe, 00000010.00000002.1344630288.0000000004728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: recover.exe, 00000010.00000002.1344630288.0000000004728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: colorcpl.exe, 00000009.00000002.3742936389.0000000020130000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: recover.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: global trafficDNS traffic detected: DNS query: qwertyuioplkjhgfdsazxcvbnm.ydns.eu
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://c.pki.goog/r/r4.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0F
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                      Source: colorcpl.exe, 00000009.00000003.1303796594.000000001E279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                      Source: colorcpl.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: Quotation.exe, 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: colorcpl.exe, 00000009.00000003.1303796594.000000001E257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpF
                      Source: colorcpl.exe, 00000009.00000003.1345257760.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345028661.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314524795.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316838262.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316705126.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1312205091.000000001E24C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1313290082.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3742352194.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1313504758.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1303796594.000000001E257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpP
                      Source: colorcpl.exe, 00000009.00000003.1345257760.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345028661.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314524795.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316838262.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316705126.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1312205091.000000001E24C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1313290082.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3742352194.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1313504758.000000001E257000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1303796594.000000001E257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpW
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://i.pki.goog/gsr1.crt0-
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://i.pki.goog/r4.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://i.pki.goog/we2.crt0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://o.pki.goog/we20%
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0O
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://ocspx.digicert.com0E
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: colorcpl.exe, 00000009.00000002.3742936389.0000000020130000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: colorcpl.exe, 00000009.00000002.3742936389.0000000020130000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000012.00000003.1328433001.00000000031ED000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000012.00000003.1328478014.00000000031ED000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: recover.exe, 00000012.00000003.1328433001.00000000031ED000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000012.00000003.1328478014.00000000031ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                      Source: colorcpl.exe, 00000009.00000002.3742936389.0000000020130000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: colorcpl.exe, 00000009.00000002.3742936389.0000000020130000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: bhv72CB.tmp.16.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                      Source: recover.exe, 00000010.00000002.1344271495.0000000002A94000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: Quotation.exe, 00000000.00000003.1270061813.000000007F104000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.1295642717.0000000002543000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F083000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1269688065.000000007F084000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: recover.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: colorcpl.exe, 00000009.00000002.3742936389.0000000020130000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000012.00000002.1329087613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: recover.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhv72CB.tmp.16.drString found in binary or memory: https://www.office.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02829D1E SetWindowsHookExA 0000000D,02829D0A,000000009_2_02829D1E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0282B158 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0282B158
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_0283696E
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_00409E39
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_00409EA1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_00406DFC
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_00406E9F
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004068B5
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_004072B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C1696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,20_2_02C1696E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0282B158 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0282B158
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02829E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,9_2_02829E4A
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E243000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1452122870.000000002C050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E218000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1531833628.000000001B6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283CF2D SystemParametersInfoW,9_2_0283CF2D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C1CF2D SystemParametersInfoW,20_2_02C1CF2D

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Quotation.exe
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3380 NtWriteVirtualMemory,0_2_029E3380
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3034 NtAllocateVirtualMemory,0_2_029E3034
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E9654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_029E9654
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E9738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_029E9738
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E95CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_029E95CC
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3C04 NtQueueApcThread,0_2_029E3C04
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E421C GetThreadContext,SetThreadContext,NtResumeThread,0_2_029E421C
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E421A GetThreadContext,SetThreadContext,NtResumeThread,0_2_029E421A
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3032 NtAllocateVirtualMemory,0_2_029E3032
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_029E9578
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02838267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,9_2_02838267
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283C0A3 OpenProcess,NtResumeProcess,CloseHandle,9_2_0283C0A3
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283C077 OpenProcess,NtSuspendProcess,CloseHandle,9_2_0283C077
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0018643A NtOpenThreadToken,NtOpenProcessToken,NtClose,12_2_0018643A
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00184823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,12_2_00184823
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00197460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,12_2_00197460
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_001864CA NtQueryInformationToken,12_2_001864CA
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00186500 NtQueryInformationToken,NtQueryInformationToken,12_2_00186500
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0019A135 NtSetInformationFile,12_2_0019A135
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0019C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,12_2_0019C1FA
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00174E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,12_2_00174E3B
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00184759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,12_2_00184759
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040BAE3
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_004016FD NtdllDefWindowProc_A,17_2_004016FD
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_004017B7 NtdllDefWindowProc_A,17_2_004017B7
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_00402CAC NtdllDefWindowProc_A,18_2_00402CAC
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_00402D66 NtdllDefWindowProc_A,18_2_00402D66
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02903380 NtWriteVirtualMemory,19_2_02903380
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02903034 NtAllocateVirtualMemory,19_2_02903034
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02909738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,19_2_02909738
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02903C04 NtQueueApcThread,19_2_02903C04
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_0290421A GetThreadContext,SetThreadContext,NtResumeThread,19_2_0290421A
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_0290421C GetThreadContext,SetThreadContext,NtResumeThread,19_2_0290421C
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02909809 NtQueryInformationFile,NtReadFile,NtClose,19_2_02909809
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02903032 NtAllocateVirtualMemory,19_2_02903032
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02909654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,19_2_02909654
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_0290341B NtWriteVirtualMemory,19_2_0290341B
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_029095CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,19_2_029095CC
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_02909578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,19_2_02909578
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00174C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,12_2_00174C10
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029EA634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,0_2_029EA634
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02836861 ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_02836861
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C16861 ExitWindowsEx,LoadLibraryA,GetProcAddress,20_2_02C16861
                      Source: C:\Users\Public\alpha.pifFile created: C:\WindowsJump to behavior
                      Source: C:\Users\Public\alpha.pifFile created: C:\Windows \SysWOW64Jump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D20B40_2_029D20B4
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A589E20_2_02A589E2
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A2C9EE0_2_02A2C9EE
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A3C94A0_2_02A3C94A
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A2CF650_2_02A2CF65
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A24D790_2_02A24D79
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A432F20_2_02A432F2
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A192100_2_02A19210
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A530490_2_02A53049
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A391E30_2_02A391E3
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A5969B0_2_02A5969B
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A2D60D0_2_02A2D60D
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A477300_2_02A47730
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A2D7470_2_02A2D747
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A437500_2_02A43750
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A435210_2_02A43521
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A37B110_2_02A37B11
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A3D8F00_2_02A3D8F0
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A2380B0_2_02A2380B
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A439AD0_2_02A439AD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283E29B9_2_0283E29B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028583809_2_02858380
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028573DA9_2_028573DA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0284809D9_2_0284809D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028621C09_2_028621C0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028481D79_2_028481D7
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0285E1E09_2_0285E1E0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0287412B9_2_0287412B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0285774C9_2_0285774C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0285E43D9_2_0285E43D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028734729_2_02873472
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0284747E9_2_0284747E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028525A19_2_028525A1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0286DAD99_2_0286DAD9
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283F8099_2_0283F809
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028479F59_2_028479F5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028579F69_2_028579F6
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0285DFB19_2_0285DFB1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02855F529_2_02855F52
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02857F789_2_02857F78
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02833CA09_2_02833CA0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02857CBD9_2_02857CBD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02853C739_2_02853C73
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0285DD829_2_0285DD82
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_201771949_2_20177194
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_2016B5C19_2_2016B5C1
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00174C1012_2_00174C10
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0017540A12_2_0017540A
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0018487512_2_00184875
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_001774B112_2_001774B1
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0019695A12_2_0019695A
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0017914412_2_00179144
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0019419112_2_00194191
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0017EE0312_2_0017EE03
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00177A3412_2_00177A34
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00176E5712_2_00176E57
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0017D66012_2_0017D660
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00193E6612_2_00193E66
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0019769E12_2_0019769E
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00185A8612_2_00185A86
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00183EB312_2_00183EB3
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00184EC112_2_00184EC1
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00176B2012_2_00176B20
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0018074012_2_00180740
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00180BF012_2_00180BF0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044A03016_2_0044A030
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0040612B16_2_0040612B
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0043E13D16_2_0043E13D
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044B18816_2_0044B188
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044227316_2_00442273
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044D38016_2_0044D380
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044A5F016_2_0044A5F0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_004125F616_2_004125F6
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_004065BF16_2_004065BF
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_004086CB16_2_004086CB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_004066BC16_2_004066BC
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044D76016_2_0044D760
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00405A4016_2_00405A40
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00449A4016_2_00449A40
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00405AB116_2_00405AB1
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00405B2216_2_00405B22
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044ABC016_2_0044ABC0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00405BB316_2_00405BB3
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00417C6016_2_00417C60
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044CC7016_2_0044CC70
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00418CC916_2_00418CC9
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044CDFB16_2_0044CDFB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044CDA016_2_0044CDA0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0044AE2016_2_0044AE20
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00415E3E16_2_00415E3E
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_00437F3B16_2_00437F3B
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0040503817_2_00405038
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0041208C17_2_0041208C
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_004050A917_2_004050A9
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0040511A17_2_0040511A
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0043C13A17_2_0043C13A
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_004051AB17_2_004051AB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0044930017_2_00449300
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0040D32217_2_0040D322
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0044A4F017_2_0044A4F0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0043A5AB17_2_0043A5AB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0041363117_2_00413631
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0044669017_2_00446690
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0044A73017_2_0044A730
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_004398D817_2_004398D8
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_004498E017_2_004498E0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0044A88617_2_0044A886
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0043DA0917_2_0043DA09
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_00438D5E17_2_00438D5E
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_00449ED017_2_00449ED0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_0041FE8317_2_0041FE83
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_00430F5417_2_00430F54
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_004050C218_2_004050C2
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_004014AB18_2_004014AB
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_0040513318_2_00405133
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_004051A418_2_004051A4
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_0040124618_2_00401246
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_0040CA4618_2_0040CA46
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_0040523518_2_00405235
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_004032C818_2_004032C8
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_0040168918_2_00401689
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_00402F6018_2_00402F60
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: 19_2_028F20B419_2_028F20B4
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C1E29B20_2_02C1E29B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C373DA20_2_02C373DA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C3838020_2_02C38380
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C2809D20_2_02C2809D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C421C020_2_02C421C0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C281D720_2_02C281D7
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C3E1E020_2_02C3E1E0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C5412B20_2_02C5412B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C3774C20_2_02C3774C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C5347220_2_02C53472
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C2747E20_2_02C2747E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C3E43D20_2_02C3E43D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C325A120_2_02C325A1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C4DAD920_2_02C4DAD9
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C1F80920_2_02C1F809
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C379F620_2_02C379F6
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C279F520_2_02C279F5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C3DFB120_2_02C3DFB1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C35F5220_2_02C35F52
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C37F7820_2_02C37F78
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C13CA020_2_02C13CA0
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C37CBD20_2_02C37CBD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C33C7320_2_02C33C73
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C3DD8220_2_02C3DD82
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\alpha.pif 4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: String function: 028F457C appears 570 times
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: String function: 02903E20 appears 48 times
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: String function: 028F4414 appears 154 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02C351E0 appears 55 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 028551E0 appears 55 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02C34ACF appears 43 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02854ACF appears 43 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02C01F96 appears 49 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02821EBF appears 33 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02C02117 appears 39 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02822117 appears 40 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02821F96 appears 49 times
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02C01EBF appears 31 times
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 029E3E9C appears 45 times
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 029D4414 appears 246 times
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 029D457C appears 835 times
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 029D421C appears 64 times
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 029E3E20 appears 54 times
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 02A3A750 appears 46 times
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 02A07687 appears 38 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 0044DDB0 appears 33 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00418555 appears 34 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004186B6 appears 58 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004188FE appears 88 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00413025 appears 79 times
                      Source: Quotation.exe, 00000000.00000003.1270613945.000000000092F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000003.1270061813.000000007F104000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000003.1270061813.000000007F104000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000003.1270613945.000000000095E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000002.1295642717.0000000002543000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000002.1295642717.0000000002543000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000002.1295642717.0000000002500000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000003.1270061813.000000007F083000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000003.1270061813.000000007F083000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000003.1269688065.000000007F084000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Quotation.exe
                      Source: Quotation.exe, 00000000.00000003.1269688065.000000007F084000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs Quotation.exe
                      Source: Quotation.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@32/12@2/3
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,16_2_0041A225
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02837AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_02837AD9
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,18_2_00410DE1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C17AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_02C17AD9
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D793C GetDiskFreeSpaceA,0_2_029D793C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0282C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,9_2_0282C03C
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283B9AB FindResourceA,LoadResource,LockResource,SizeofResource,9_2_0283B9AB
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283AE6B OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0283AE6B
                      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\All Users\4140.cmdJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\chrome-3GMLHL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9108:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9072:120:WilError_03
                      Source: C:\Windows\SysWOW64\recover.exeFile created: C:\Users\user\AppData\Local\Temp\bhv72CB.tmpJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSystem information queried: HandleInformationJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: colorcpl.exe, 00000009.00000002.3743459386.0000000020BC0000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: recover.exe, 00000010.00000002.1344829611.0000000004F03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: Quotation.exeVirustotal: Detection: 38%
                      Source: Quotation.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\user\Desktop\Quotation.exeJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4140.cmd""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\22183.cmd""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\cjuokcdbbgcjypgifkadlgabsyky"
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fdhglvnuxouoivcuwvmxwtvktnthewt"
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pfmz"
                      Source: unknownProcess created: C:\Users\user\Links\Agcakrhb.PIF "C:\Users\user\Links\Agcakrhb.PIF"
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                      Source: unknownProcess created: C:\Users\user\Links\Agcakrhb.PIF "C:\Users\user\Links\Agcakrhb.PIF"
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4140.cmd""Jump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\22183.cmd""Jump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\cjuokcdbbgcjypgifkadlgabsyky"Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fdhglvnuxouoivcuwvmxwtvktnthewt"Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pfmz"Jump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: olepro32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: olepro32.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: olepro32.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winmm.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mrmcorer.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: biwinrt.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositorycore.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wincorlib.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bingconfigurationclient.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.applicationdata.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windowsudk.shellcommon.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dictationmanager.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositoryclient.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.ui.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windowmanagementapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: inputhost.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: languageoverlayutil.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bcp47mrm.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.web.http.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: audioses.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: winmmbase.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mmdevapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mmdevapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: devobj.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.applicationmodel.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.ui.immersive.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.globalization.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: logoncli.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.cortana.proxystub.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.security.authentication.onlineid.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: profext.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: certenroll.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: certca.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dsparse.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mlang.dll
                      Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.web.dll
                      Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: Quotation.exeStatic file information: File size 1634816 > 1048576
                      Source: Quotation.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x108a00
                      Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: colorcpl.exe, 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1345613239.0000000020990000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1344168957.0000000000400000.00000040.80000000.00040000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: Quotation.exe, 00000000.00000003.1269398248.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F070000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.1295642717.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F083000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdbUGP source: esentutl.exe, 0000000A.00000003.1278983273.00000000055C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000C.00000002.1299363348.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000E.00000000.1301281062.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.10.dr
                      Source: Binary string: easinvoker.pdbGCTL source: Quotation.exe, 00000000.00000003.1269398248.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F070000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000002.1295642717.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270061813.000000007F083000.00000004.00001000.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270613945.000000000090B000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000000.00000003.1270613945.000000000093A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdb source: esentutl.exe, 0000000A.00000003.1278983273.00000000055C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 0000000C.00000002.1299363348.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000E.00000000.1301281062.0000000000171000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.10.dr

                      Data Obfuscation

                      barindex
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 0.2.Quotation.exe.23dab48.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.23dab48.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1282529914.00000000023DA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: alpha.pif.10.drStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,0_2_029E3E20
                      Source: alpha.pif.10.drStatic PE information: section name: .didat
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029F62A4 push 029F630Fh; ret 0_2_029F6307
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029F60AC push 029F6125h; ret 0_2_029F611D
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029EA018 push ecx; mov dword ptr [esp], edx0_2_029EA01D
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E606C push 029E60A4h; ret 0_2_029E609C
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DC1CE push 029DC61Eh; ret 0_2_029DC616
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029F61F8 push 029F6288h; ret 0_2_029F6280
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029F6144 push 029F61ECh; ret 0_2_029F61E4
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D617C push 029D61BEh; ret 0_2_029D61B6
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D617A push 029D61BEh; ret 0_2_029D61B6
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A5C63F push ecx; ret 0_2_02A5C652
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A3A796 push ecx; ret 0_2_02A3A7A9
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DC498 push 029DC61Eh; ret 0_2_029DC616
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E2410 push ecx; mov dword ptr [esp], edx0_2_029E2412
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E2EDC push 029E2F87h; ret 0_2_029E2F7F
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E2EDA push 029E2F87h; ret 0_2_029E2F7F
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A5CF70 push eax; ret 0_2_02A5CF8E
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DCDE0 push 029DCE0Ch; ret 0_2_029DCE04
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D3210 push eax; ret 0_2_029D324C
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DF600 push 029DF64Dh; ret 0_2_029DF645
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DF4F4 push 029DF56Ah; ret 0_2_029DF562
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DF5FF push 029DF64Dh; ret 0_2_029DF645
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029F7510 pushad ; retf 0_2_029F7511
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029F5854 push 029F5A3Ah; ret 0_2_029F5A32
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DBE18 push ecx; mov dword ptr [esp], edx0_2_029DBE1D
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3F84 push 029E3FBCh; ret 0_2_029E3FB4
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E9FB4 push ecx; mov dword ptr [esp], edx0_2_029E9FB9
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D5D9E push 029D5DFBh; ret 0_2_029D5DF3
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D5DA0 push 029D5DFBh; ret 0_2_029D5DF3
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3D40 push 029E3D82h; ret 0_2_029E3D7A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02855226 push ecx; ret 9_2_02855239
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028770CF push ecx; ret 9_2_028770E2

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\Links\Agcakrhb.PIFJump to dropped file
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028262E2 ShellExecuteW,URLDownloadToFileW,9_2_028262E2
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\Links\Agcakrhb.PIFJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0283AC43
                      Source: C:\Users\user\Desktop\Quotation.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AgcakrhbJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AgcakrhbJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E64E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_029E64E4
                      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040BAE3
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_0283A941
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,20_2_02C1A941
                      Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 2469Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 7517Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_9-53904
                      Source: C:\Windows\SysWOW64\colorcpl.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_9-53592
                      Source: C:\Users\Public\alpha.pifAPI coverage: 6.3 %
                      Source: C:\Windows\SysWOW64\recover.exeAPI coverage: 9.6 %
                      Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 6.1 %
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7020Thread sleep count: 2469 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7020Thread sleep time: -7407000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7020Thread sleep count: 7517 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7020Thread sleep time: -22551000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029D52F8
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028290DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,9_2_028290DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0282B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0282B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0283C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,9_2_0283C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0282B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0282B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0286E989 FindFirstFileExA,9_2_0286E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02827EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,9_2_02827EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02826F13 FindFirstFileW,FindNextFileW,9_2_02826F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02828CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,9_2_02828CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02839CEE FindFirstFileW,FindNextFileW,FindNextFileW,9_2_02839CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_201610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_201610F1
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_20166580 FindFirstFileExA,9_2_20166580
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00180207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,12_2_00180207
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0018589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,12_2_0018589A
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00193E66 FindFirstFileW,FindNextFileW,FindClose,12_2_00193E66
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00184EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,12_2_00184EC1
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0017532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,12_2_0017532E
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0040B477 FindFirstFileW,FindNextFileW,16_2_0040B477
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,20_2_02C090DC
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C0B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_02C0B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C1C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,20_2_02C1C7E5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C0B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_02C0B8BA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C4E989 FindFirstFileExA,20_2_02C4E989
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C07EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,20_2_02C07EDD
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C06F13 FindFirstFileW,FindNextFileW,20_2_02C06F13
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C08CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,20_2_02C08CDE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C19CEE FindFirstFileW,FindNextFileW,FindNextFileW,20_2_02C19CEE
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02827357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_02827357
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0041A8D8 memset,GetSystemInfo,16_2_0041A8D8
                      Source: colorcpl.exe, 00000009.00000003.1345028661.000000001E28E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1312205091.000000001E28E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3742352194.000000001E28E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1304356600.000000001E28E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWN
                      Source: colorcpl.exe, 00000009.00000003.1345028661.000000001E28E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1312205091.000000001E28E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3742352194.000000001E218000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3742352194.000000001E28E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000003.1304356600.000000001E28E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Quotation.exe, 00000000.00000002.1281866480.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Agcakrhb.PIF, 00000013.00000002.1422329926.000000000085E000.00000004.00000020.00020000.00000000.sdmp, Agcakrhb.PIF, 00000018.00000002.1507269155.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: bhv72CB.tmp.16.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                      Source: C:\Users\user\Desktop\Quotation.exeAPI call chain: ExitProcess graph end nodegraph_0-67391
                      Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_9-55018
                      Source: C:\Windows\SysWOW64\recover.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Links\Agcakrhb.PIFAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\recover.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029EA5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_029EA5B0
                      Source: C:\Users\user\Desktop\Quotation.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0285B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0285B88D
                      Source: C:\Windows\SysWOW64\recover.exeCode function: 16_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040BAE3
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E3E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,0_2_029E3E20
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A8691D mov eax, dword ptr fs:[00000030h]0_2_02A8691D
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A48E64 mov eax, dword ptr fs:[00000030h]0_2_02A48E64
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028638F4 mov eax, dword ptr fs:[00000030h]9_2_028638F4
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_20164AB4 mov eax, dword ptr fs:[00000030h]9_2_20164AB4
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_0019C1FA mov eax, dword ptr fs:[00000030h]12_2_0019C1FA
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C438F4 mov eax, dword ptr fs:[00000030h]20_2_02C438F4
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02831999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,9_2_02831999
                      Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02855398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_02855398
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_0285B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0285B88D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02854F01 SetUnhandledExceptionFilter,9_2_02854F01
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02854D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_02854D6E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_201660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_201660E2
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_20162639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_20162639
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_20162B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_20162B1C
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00186EC0 SetUnhandledExceptionFilter,12_2_00186EC0
                      Source: C:\Users\Public\alpha.pifCode function: 12_2_00186B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00186B40
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C35398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_02C35398
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C3B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_02C3B88D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C34F01 SetUnhandledExceptionFilter,20_2_02C34F01
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 20_2_02C34D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_02C34D6E

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Early bird code injection technique detected
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Quotation.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2820000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2C00000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2AB0000 protect: page execute and read and write
                      Contains functionality to inject code into remote processes
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_02838267 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,GetLastError,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,9_2_02838267
                      Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Users\user\Desktop\Quotation.exeThread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                      Sample uses process hollowing technique
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\recover.exe base address: 400000Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\colorcpl.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2898008Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 299F008Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2BEE008Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028397D9 mouse_event,9_2_028397D9
                      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\cjuokcdbbgcjypgifkadlgabsyky"Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\fdhglvnuxouoivcuwvmxwtvktnthewt"Jump to behavior
                      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pfmz"Jump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                      Source: C:\Users\user\Links\Agcakrhb.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
                      Source: colorcpl.exe, 00000009.00000002.3742352194.000000001E257000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: colorcpl.exe, 00000009.00000002.3742352194.000000001E243000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3742352194.000000001E287000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000009.00000002.3742352194.000000001E279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_02A3A5A4 cpuid 0_2_02A3A5A4
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_029D54BC
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: GetLocaleInfoA,0_2_029DA0B8
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: GetLocaleInfoA,0_2_029DA104
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_029D55C8
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,9_2_0282F26B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_0287220A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,9_2_02872097
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,9_2_028720E2
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,9_2_0287217D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,9_2_0287268A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_02872757
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,9_2_0286844E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,9_2_0287245A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_02872583
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,9_2_02868937
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,9_2_02871E1F
                      Source: C:\Users\Public\alpha.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,12_2_00178572
                      Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,12_2_00176854
                      Source: C:\Users\Public\alpha.pifCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,12_2_00179310
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,19_2_028F54BC
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: GetLocaleInfoA,19_2_028FA104
                      Source: C:\Users\user\Links\Agcakrhb.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,19_2_028F55C7
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,20_2_02C0F26B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,20_2_02C5220A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,20_2_02C520E2
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,20_2_02C52097
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,20_2_02C5217D
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,20_2_02C5268A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_02C52757
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,20_2_02C4844E
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,20_2_02C5245A
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_02C52583
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,20_2_02C48937
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,20_2_02C51E1F
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029D8B38 GetLocalTime,0_2_029D8B38
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029E9F00 GetUserNameA,0_2_029E9F00
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 9_2_028693AF _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,9_2_028693AF
                      Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_029DB038 GetVersionExA,0_2_029DB038
                      Source: C:\Windows\SysWOW64\colorcpl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E243000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1452122870.000000002C050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E218000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1531833628.000000001B6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data9_2_0282B59B
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data20_2_02C0B59B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\9_2_0282B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db9_2_0282B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\20_2_02C0B6B5
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db20_2_02C0B6B5
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Windows\SysWOW64\recover.exeCode function: ESMTPPassword17_2_004033F0
                      Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword17_2_00402DB3
                      Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword17_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: 9.3.colorcpl.exe.206726a0.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.20810000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.20810000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3743327467.0000000020810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1345209100.0000000020611000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1345718928.0000000020A4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1316887237.0000000020BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1345664304.00000000208B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1344168957.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1315605874.000000002081F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1316483283.0000000020993000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1344853674.0000000020673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1345547353.0000000020B0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1316639906.000000002058B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1314484058.0000000020611000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.1345613239.0000000020990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: recover.exe PID: 8436, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SndVol.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.colorcpl.exe.2820000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Quotation.exe.29d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E243000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1452122870.000000002C050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.1422292049.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3729041823.0000000002820000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1506976083.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3742352194.000000001E218000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1531833628.000000001B6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1299175865.0000000002A05000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1314109935.000000007E770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 8940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8196, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 6812, type: MEMORYSTR
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe9_2_02825091
                      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe20_2_02C05091

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		21
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		1
                      Valid Accounts                      		1
                      Bypass User Account Control                      		1
                      Deobfuscate/Decode Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Valid Accounts                      		2
                      Obfuscated Files or Information                      		2
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		1
                      Registry Run Keys / Startup Folder                      		11
                      Access Token Manipulation                      		1
                      Timestomp                      		3
                      Credentials In Files                      		3
                      File and Directory Discovery                      		Distributed Component Object Model111
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      Windows Service                      		1
                      DLL Side-Loading                      		LSA Secrets38
                      System Information Discovery                      		SSH3
                      Clipboard Data                      		12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts712
                      Process Injection                      		1
                      Bypass User Account Control                      		Cached Domain Credentials241
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                      Registry Run Keys / Startup Folder                      		221
                      Masquerading                      		DCSync2
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Valid Accounts                      		Proc Filesystem4
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                      Access Token Manipulation                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd712
                      Process Injection                      		Input Capture1
                      Remote System Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                      System Network Configuration Discovery                      		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640468 Sample: Quotation.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 59 qwertyuioplkjhgfdsazxcvbnm.ydns.eu 2->59 61 geoplugin.net 2->61 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 12 other signatures 2->83 8 Quotation.exe 1 7 2->8         started        12 Agcakrhb.PIF 2->12         started        14 Agcakrhb.PIF 2->14         started        signatures3 process4 file5 53 C:\Users\user\Links\Agcakrhb.PIF, PE32 8->53 dropped 85 Early bird code injection technique detected 8->85 87 Drops PE files with a suspicious file extension 8->87 89 Allocates memory in foreign processes 8->89 93 2 other signatures 8->93 16 colorcpl.exe 4 13 8->16         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        24 backgroundTaskHost.exe 8->24         started        91 Multi AV Scanner detection for dropped file 12->91 26 colorcpl.exe 12->26         started        28 SndVol.exe 14->28         started        signatures6 process7 dnsIp8 55 qwertyuioplkjhgfdsazxcvbnm.ydns.eu 185.208.156.45, 20908, 49720, 49721 SIMPLECARRIERCH Switzerland 16->55 57 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 16->57 65 Contains functionality to bypass UAC (CMSTPLUA) 16->65 67 Contains functionalty to change the wallpaper 16->67 69 Contains functionality to steal Chrome passwords or cookies 16->69 75 6 other signatures 16->75 30 recover.exe 2 16->30         started        33 recover.exe 1 16->33         started        35 recover.exe 1 16->35         started        71 Uses ping.exe to sleep 20->71 73 Uses ping.exe to check the status of other devices and networks 20->73 37 esentutl.exe 2 20->37         started        40 conhost.exe 20->40         started        42 alpha.pif 2 20->42         started        44 alpha.pif 2 20->44         started        46 PING.EXE 1 22->46         started        49 conhost.exe 22->49         started        signatures9 process10 dnsIp11 95 Tries to steal Mail credentials (via file registry) 30->95 97 Tries to harvest and steal browser information (history, passwords, etc) 30->97 99 Tries to steal Instant Messenger accounts or passwords 33->99 101 Tries to steal Mail credentials (via file / registry access) 33->101 51 C:\Users\Public\alpha.pif, PE32 37->51 dropped 103 Drops PE files to the user root directory 37->103 105 Drops PE files with a suspicious file extension 37->105 107 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 37->107 63 127.0.0.1 unknown unknown 46->63 file12 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.