Loading ...

Play interactive tourEdit tour

Analysis Report UOMp9cDcqZ

Overview

General Information

Sample Name:UOMp9cDcqZ (renamed file extension from none to exe)
Analysis ID:433343
MD5:15d907e7d9f8286e5053796c9d78fcec
SHA1:b7d7329e94e2292ed53e2778cebec533ac599030
SHA256:771e4f69520f71afe6a6e9a4eb4de7dcd8d7521d90db290ca6c27b1a95c532af
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UOMp9cDcqZ.exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\UOMp9cDcqZ.exe' MD5: 15D907E7D9F8286E5053796C9D78FCEC)
    • UOMp9cDcqZ.exe (PID: 6412 cmdline: C:\Users\user\Desktop\UOMp9cDcqZ.exe MD5: 15D907E7D9F8286E5053796C9D78FCEC)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 4860 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • colorcpl.exe (PID: 4840 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 6444 cmdline: /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.UOMp9cDcqZ.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.UOMp9cDcqZ.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.0.UOMp9cDcqZ.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x166a9:$sqlite3step: 68 34 1C 7B E1
          • 0x167bc:$sqlite3step: 68 34 1C 7B E1
          • 0x166d8:$sqlite3text: 68 38 2A 90 C5
          • 0x167fd:$sqlite3text: 68 38 2A 90 C5
          • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
          1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x10aa68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x10adf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x131c88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x132012:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x116b05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x13dd25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x1165f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x13d811:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x116c07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13de27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x116d7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x13df9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x10b80a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x132a2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x11586c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x13ca8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x10c582:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1337a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x11bbf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x142e17:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x11cc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 10 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: UOMp9cDcqZ.exeVirustotal: Detection: 16%Perma Link
            Source: UOMp9cDcqZ.exeMetadefender: Detection: 22%Perma Link
            Source: UOMp9cDcqZ.exeReversingLabs: Detection: 50%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: UOMp9cDcqZ.exeJoe Sandbox ML: detected
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: UOMp9cDcqZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: UOMp9cDcqZ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ESxPeVCqHk\src\obj\x86\Debug\OrderablePartitioner.pdb source: UOMp9cDcqZ.exe
            Source: Binary string: colorcpl.pdbGCTL source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
            Source: Binary string: colorcpl.pdb source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: UOMp9cDcqZ.exe, 00000002.00000003.245683230.0000000001050000.00000004.00000001.sdmp, colorcpl.exe, 0000000F.00000002.494600161.00000000046D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: UOMp9cDcqZ.exe, colorcpl.exe
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0E61B6F0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 4x nop then pop edi2_2_00416282
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 4x nop then pop ebx2_2_00406A94
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx15_2_02546A95
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi15_2_02556282

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.dmgt4m2g8y2uh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.thesoulrevitalist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf4qMx2ahmc0&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.newmopeds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.hazard-protection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
            Source: Joe Sandbox ViewASN Name: BIT-ISLEEquinixJpapanEnterpriseKKJP BIT-ISLEEquinixJpapanEnterpriseKKJP
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.dmgt4m2g8y2uh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.thesoulrevitalist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf4qMx2ahmc0&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.newmopeds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.hazard-protection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETAccess-Control-Allow-Origin: *Access-Control-Allow-Credentials: trueAccess-Control-Allow-Methods: GET, POST, PUT, DELETEAccess-Control-Allow-Headers: AuthorizationDate: Fri, 11 Jun 2021 14:58:19 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 6
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: UOMp9cDcqZ.exe, 00000001.00000002.248963538.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: UOMp9cDcqZ.exe, 00000001.00000003.233796502.0000000005B09000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersU
            Source: UOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: UOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuev
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228190439.0000000005B1B000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/MI
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cr
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/liquI
            Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: UOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFv
            Source: explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: UOMp9cDcqZ.exe, 00000001.00000003.228445833.0000000005B1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004181B0 NtCreateFile,2_2_004181B0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00418260 NtReadFile,2_2_00418260
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004182E0 NtClose,2_2_004182E0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,2_2_00418390
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004182AC NtReadFile,2_2_004182AC
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041838B NtAllocateVirtualMemory,2_2_0041838B
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_013E9910
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9540 NtReadFile,LdrInitializeThunk,2_2_013E9540
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E99A0 NtCreateSection,LdrInitializeThunk,2_2_013E99A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E95D0 NtClose,LdrInitializeThunk,2_2_013E95D0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_013E9860
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9840 NtDelayExecution,LdrInitializeThunk,2_2_013E9840
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_013E98F0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9710 NtQueryInformationToken,LdrInitializeThunk,2_2_013E9710
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_013E97A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9780 NtMapViewOfSection,LdrInitializeThunk,2_2_013E9780
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9FE0 NtCreateMutant,LdrInitializeThunk,2_2_013E9FE0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A20 NtResumeThread,LdrInitializeThunk,2_2_013E9A20
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_013E9A00
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_013E9660
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A50 NtCreateFile,LdrInitializeThunk,2_2_013E9A50
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_013E96E0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EAD30 NtSetContextThread,2_2_013EAD30
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9520 NtWaitForSingleObject,2_2_013E9520
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9560 NtWriteFile,2_2_013E9560
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9950 NtQueueApcThread,2_2_013E9950
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E95F0 NtQueryInformationFile,2_2_013E95F0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E99D0 NtCreateProcessEx,2_2_013E99D0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9820 NtEnumerateKey,2_2_013E9820
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EB040 NtSuspendThread,2_2_013EB040
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E98A0 NtWriteVirtualMemory,2_2_013E98A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9730 NtQueryVirtualMemory,2_2_013E9730
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EA710 NtOpenProcessToken,2_2_013EA710
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9B00 NtSetValueKey,2_2_013E9B00
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9770 NtSetInformationFile,2_2_013E9770
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EA770 NtOpenThread,2_2_013EA770
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9760 NtOpenProcess,2_2_013E9760
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013EA3B0 NtGetContextThread,2_2_013EA3B0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9610 NtEnumerateValueKey,2_2_013E9610
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A10 NtQuerySection,2_2_013E9A10
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9670 NtQueryInformationProcess,2_2_013E9670
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9650 NtQueryValueKey,2_2_013E9650
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E9A80 NtOpenDirectoryObject,2_2_013E9A80
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013E96D0 NtCreateKey,2_2_013E96D0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739540 NtReadFile,LdrInitializeThunk,15_2_04739540
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047395D0 NtClose,LdrInitializeThunk,15_2_047395D0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_04739660
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739650 NtQueryValueKey,LdrInitializeThunk,15_2_04739650
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047396E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_047396E0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047396D0 NtCreateKey,LdrInitializeThunk,15_2_047396D0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739710 NtQueryInformationToken,LdrInitializeThunk,15_2_04739710
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739FE0 NtCreateMutant,LdrInitializeThunk,15_2_04739FE0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739780 NtMapViewOfSection,LdrInitializeThunk,15_2_04739780
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739860 NtQuerySystemInformation,LdrInitializeThunk,15_2_04739860
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739840 NtDelayExecution,LdrInitializeThunk,15_2_04739840
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_04739910
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047399A0 NtCreateSection,LdrInitializeThunk,15_2_047399A0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A50 NtCreateFile,LdrInitializeThunk,15_2_04739A50
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739560 NtWriteFile,15_2_04739560
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473AD30 NtSetContextThread,15_2_0473AD30
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739520 NtWaitForSingleObject,15_2_04739520
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047395F0 NtQueryInformationFile,15_2_047395F0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739670 NtQueryInformationProcess,15_2_04739670
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739610 NtEnumerateValueKey,15_2_04739610
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473A770 NtOpenThread,15_2_0473A770
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739770 NtSetInformationFile,15_2_04739770
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739760 NtOpenProcess,15_2_04739760
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739730 NtQueryVirtualMemory,15_2_04739730
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473A710 NtOpenProcessToken,15_2_0473A710
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047397A0 NtUnmapViewOfSection,15_2_047397A0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473B040 NtSuspendThread,15_2_0473B040
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739820 NtEnumerateKey,15_2_04739820
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047398F0 NtReadVirtualMemory,15_2_047398F0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047398A0 NtWriteVirtualMemory,15_2_047398A0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739950 NtQueueApcThread,15_2_04739950
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047399D0 NtCreateProcessEx,15_2_047399D0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A20 NtResumeThread,15_2_04739A20
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A10 NtQuerySection,15_2_04739A10
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A00 NtProtectVirtualMemory,15_2_04739A00
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739A80 NtOpenDirectoryObject,15_2_04739A80
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04739B00 NtSetValueKey,15_2_04739B00
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0473A3B0 NtGetContextThread,15_2_0473A3B0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02558260 NtReadFile,15_2_02558260
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_025582E0 NtClose,15_2_025582E0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_02558390 NtAllocateVirtualMemory,15_2_02558390
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_025581B0 NtCreateFile,15_2_025581B0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_025582AC NtReadFile,15_2_025582AC
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0255838B NtAllocateVirtualMemory,15_2_0255838B
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_006EA90E1_2_006EA90E
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_006E63D11_2_006E63D1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_02B0C2B01_2_02B0C2B0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_02B099701_2_02B09970
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B77A601_2_08B77A60
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AD181_2_08B7AD18
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BF501_2_08B7BF50
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7B5881_2_08B7B588
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7E8501_2_08B7E850
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BA381_2_08B7BA38
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BA281_2_08B7BA28
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B77A511_2_08B77A51
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7DC681_2_08B7DC68
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AC5F1_2_08B7AC5F
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7EEF01_2_08B7EEF0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AFB01_2_08B7AFB0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7AFC01_2_08B7AFC0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7BF421_2_08B7BF42
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7A0F91_2_08B7A0F9
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B700061_2_08B70006
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B700401_2_08B70040
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7A1081_2_08B7A108
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7F1481_2_08B7F148
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7F3D81_2_08B7F3D8
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B774B01_2_08B774B0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B774A01_2_08B774A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_08B7B5781_2_08B7B578
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6188721_2_0E618872
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E61A8301_2_0E61A830
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6186681_2_0E618668
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6136781_2_0E613678
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6186781_2_0E618678
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E61365D1_2_0E61365D
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E615AE01_2_0E615AE0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E615AD21_2_0E615AD2
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6182A01_2_0E6182A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 1_2_0E6182901_2_0E618290
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_004010302_2_00401030
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B8B12_2_0041B8B1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B9632_2_0041B963
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00408C4B2_2_00408C4B
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00408C502_2_00408C50
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B4932_2_0041B493
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041B4962_2_0041B496
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041C5392_2_0041C539
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00402D892_2_00402D89
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00402D902_2_00402D90
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041CE852_2_0041CE85
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041BF122_2_0041BF12
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0041C7952_2_0041C795
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_00402FB02_2_00402FB0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0086A90E2_2_0086A90E
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_008663D12_2_008663D1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01471D552_2_01471D55
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013A0D202_2_013A0D20
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C41202_2_013C4120
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013AF9002_2_013AF900
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01472D072_2_01472D07
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014725DD2_2_014725DD
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D25812_2_013D2581
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BD5E02_2_013BD5E0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013B841F2_2_013B841F
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014610022_2_01461002
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013D20A02_2_013D20A0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013BB0902_2_013BB090
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014728EC2_2_014728EC
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014720A82_2_014720A8
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01472B282_2_01472B28
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013DEBB02_2_013DEBB0
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_0146DBD22_2_0146DBD2
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01471FF12_2_01471FF1
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_013C6E302_2_013C6E30
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_01472EF72_2_01472EF7
            Source: C:\Users\user\Desktop\UOMp9cDcqZ.exeCode function: 2_2_014722AE2_2_014722AE
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BD46615_2_047BD466
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470841F15_2_0470841F
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C1D5515_2_047C1D55
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046F0D2015_2_046F0D20
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C2D0715_2_047C2D07
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470D5E015_2_0470D5E0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C25DD15_2_047C25DD
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0472258115_2_04722581
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_04716E3015_2_04716E30
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047BD61615_2_047BD616
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C2EF715_2_047C2EF7
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C1FF115_2_047C1FF1
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047CDFCE15_2_047CDFCE
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047CE82415_2_047CE824
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B100215_2_047B1002
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C28EC15_2_047C28EC
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047220A015_2_047220A0
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C20A815_2_047C20A8
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0470B09015_2_0470B090
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0471412015_2_04714120
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_046FF90015_2_046FF900
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047AFA2B15_2_047AFA2B
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C22AE15_2_047C22AE
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047C2B2815_2_047C2B28
            Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_047B03DA