Windows Analysis Report 3cGH9Bakuq

Overview

General Information

Sample Name:	3cGH9Bakuq (renamed file extension from none to exe)
Analysis ID:	491574
MD5:	0eca879131a7b104418b085db7f761c3
SHA1:	07fa4692aa15a409091bc6190bf33b5942db99e6
SHA256:	166559731ad15341f955bf8a16708f93542bef868c33f02f70e9b27f57b991a3
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Self deletion via cmd delete

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 3cGH9Bakuq.exe	Virustotal: Detection: 26%			Perma Link
Source: 3cGH9Bakuq.exe	ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: 3cGH9Bakuq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3cGH9Bakuq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: colorcpl.pdbGCTL source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: colorcpl.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe, 0000000F.00000002.929694645.0000000004EC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 4x nop then pop ebx		6_2_00406ABF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop ebx		15_2_00CD6ABF

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.marmorariapiramide.online
Source: C:\Windows\explorer.exe	Domain query: www.emptycc.net
Source: C:\Windows\explorer.exe	Domain query: www.traexcel.com
Source: C:\Windows\explorer.exe	Domain query: www.rangerbuddys.com
Source: C:\Windows\explorer.exe	Domain query: www.omniriot.com
Source: C:\Windows\explorer.exe	Network Connect: 104.143.9.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.vetpipes.com
Source: C:\Windows\explorer.exe	Network Connect: 143.198.15.243 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.208.82.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.11.189.189 80	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /scb0/?IN9dgxBh=gxg+zqdn+o0ww4uf8TcZaQyTsJgiXCW12nXRXcs11V7/zKzoeUyv6HeZPjVpo2wMT0Al&sVSH=CPDL8v1 HTTP/1.1Host: www.vetpipes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=beKAYpkJja+K0I/DndBFcQmb1njbIlQSoH3Y/zfbdScl712FMHF3+aANQrs36cfLB01F HTTP/1.1Host: www.omniriot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=J7r5qQFPY3cJvABn1Gs7ze2qtK7SOzbffr49jA2eoV1JiGZLpH7+KoOsOPA+gXWondlu HTTP/1.1Host: www.rangerbuddys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: colorcpl.exe, 0000000F.00000002.930259419.0000000005572000.00000004.00020000.sdmp	String found in binary or memory: http://050005.voodoo.com/js/partner.js
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 3cGH9Bakuq.exe	String found in binary or memory: http://kr.battle.net/heroes/ko/
Source: 3cGH9Bakuq.exe	String found in binary or memory: http://kr.battle.net/heroes/ko/?https://twitter.com/Dalsae_info9https://twitter.com/hanalen_
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp, 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 3cGH9Bakuq.exe, 00000000.00000003.669096429.0000000005685000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 3cGH9Bakuq.exe, 00000000.00000003.667722258.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comh
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 3cGH9Bakuq.exe, 00000000.00000003.670846550.00000000056BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 3cGH9Bakuq.exe, 00000000.00000003.673691153.00000000056BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 3cGH9Bakuq.exe, 00000000.00000002.686643598.0000000000E77000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comdiafN
Source: 3cGH9Bakuq.exe, 00000000.00000002.686643598.0000000000E77000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comoW
Source: 3cGH9Bakuq.exe, 00000000.00000002.686643598.0000000000E77000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnA.
Source: 3cGH9Bakuq.exe, 00000000.00000003.667177411.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cned
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnenx
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnh-c
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnorm
Source: 3cGH9Bakuq.exe, 00000000.00000003.676148683.00000000056B7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: colorcpl.exe, 0000000F.00000002.930259419.0000000005572000.00000004.00020000.sdmp	String found in binary or memory: http://www.vodien.com/
Source: colorcpl.exe, 0000000F.00000002.930259419.0000000005572000.00000004.00020000.sdmp	String found in binary or memory: http://www.vodien.com/singapore-email-hosting.php
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 3cGH9Bakuq.exe, 00000000.00000003.667627044.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnA.
Source: 3cGH9Bakuq.exe, 00000000.00000003.667627044.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnenx
Source: 3cGH9Bakuq.exe, 00000000.00000003.667627044.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnh
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/account/verify_credentials.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/blocks/create.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/blocks/ids.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/direct_messages.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/direct_messages.jsonyhttps://api.twitter.com/1.1/friendships/no_retweets
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/create.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/destroy.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/list.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friends/ids.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friends/list.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friendships/no_retweets/ids.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friendships/update.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/destroy/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.jsonahttps://upload.twitter.com/1.1/media/upload.
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/mentions_timeline.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/retweet/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/show.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/whttps://api.twitter.com/1.1/statuses/mentions_timeli
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.jsonwhttps://api.twitter.com/1.1/account/verify_c
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/users/lookup.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/oauth/access_token
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/oauth/authorize?oauth_token=
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/oauth/request_token
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://pbs.twimg.com/media/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://twitter.com/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://twitter.com/Dalsae_info
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://twitter.com/hanalen_
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://upload.twitter.com/1.1/media/upload.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://userstream.twitter.com/1.1/user.json

Source: unknown

DNS traffic detected: queries for: www.emptycc.net

Source: global traffic	HTTP traffic detected: GET /scb0/?IN9dgxBh=gxg+zqdn+o0ww4uf8TcZaQyTsJgiXCW12nXRXcs11V7/zKzoeUyv6HeZPjVpo2wMT0Al&sVSH=CPDL8v1 HTTP/1.1Host: www.vetpipes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=beKAYpkJja+K0I/DndBFcQmb1njbIlQSoH3Y/zfbdScl712FMHF3+aANQrs36cfLB01F HTTP/1.1Host: www.omniriot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=J7r5qQFPY3cJvABn1Gs7ze2qtK7SOzbffr49jA2eoV1JiGZLpH7+KoOsOPA+gXWondlu HTTP/1.1Host: www.rangerbuddys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 3cGH9Bakuq.exe, 00000000.00000002.686274674.000000000098A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: 3cGH9Bakuq.exe, FlowPanelManager.cs	Long String: Length: 34816
Source: 0.0.3cGH9Bakuq.exe.240000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 0.2.3cGH9Bakuq.exe.240000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 5.2.3cGH9Bakuq.exe.a0000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 6.0.3cGH9Bakuq.exe.440000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816

Uses 32bit PE files

Source: 3cGH9Bakuq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 5_2_000A695C	5_2_000A695C
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B8DD	6_2_0041B8DD
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041C14C	6_2_0041C14C
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00408C6C	6_2_00408C6C
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00408C70	6_2_00408C70
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041CE9E	6_2_0041CE9E
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0044695C	6_2_0044695C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB090	15_2_04EFB090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF841F	15_2_04EF841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1002	15_2_04FA1002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFD5E0	15_2_04EFD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB1D55	15_2_04FB1D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE0D20	15_2_04EE0D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEF900	15_2_04EEF900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F06E30	15_2_04F06E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1EBB0	15_2_04F1EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CEB8DD	15_2_00CEB8DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CEC14C	15_2_00CEC14C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CED330	15_2_00CED330

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: String function: 04EEB150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004185B0 NtCreateFile,	6_2_004185B0
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00418660 NtReadFile,	6_2_00418660
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004186E0 NtClose,	6_2_004186E0
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00418790 NtAllocateVirtualMemory,	6_2_00418790
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004185AA NtCreateFile,	6_2_004185AA
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041865A NtReadFile,	6_2_0041865A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004186DF NtClose,	6_2_004186DF
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041878D NtAllocateVirtualMemory,	6_2_0041878D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04F29860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29840 NtDelayExecution,LdrInitializeThunk,	15_2_04F29840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F295D0 NtClose,LdrInitializeThunk,	15_2_04F295D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F299A0 NtCreateSection,LdrInitializeThunk,	15_2_04F299A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29540 NtReadFile,LdrInitializeThunk,	15_2_04F29540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04F29910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F296E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04F296E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F296D0 NtCreateKey,LdrInitializeThunk,	15_2_04F296D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04F29660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29650 NtQueryValueKey,LdrInitializeThunk,	15_2_04F29650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A50 NtCreateFile,LdrInitializeThunk,	15_2_04F29A50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29FE0 NtCreateMutant,LdrInitializeThunk,	15_2_04F29FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29780 NtMapViewOfSection,LdrInitializeThunk,	15_2_04F29780
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29710 NtQueryInformationToken,LdrInitializeThunk,	15_2_04F29710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F298F0 NtReadVirtualMemory,	15_2_04F298F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F298A0 NtWriteVirtualMemory,	15_2_04F298A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2B040 NtSuspendThread,	15_2_04F2B040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29820 NtEnumerateKey,	15_2_04F29820
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F295F0 NtQueryInformationFile,	15_2_04F295F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F299D0 NtCreateProcessEx,	15_2_04F299D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29560 NtWriteFile,	15_2_04F29560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29950 NtQueueApcThread,	15_2_04F29950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2AD30 NtSetContextThread,	15_2_04F2AD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29520 NtWaitForSingleObject,	15_2_04F29520
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A80 NtOpenDirectoryObject,	15_2_04F29A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29670 NtQueryInformationProcess,	15_2_04F29670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A20 NtResumeThread,	15_2_04F29A20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29610 NtEnumerateValueKey,	15_2_04F29610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A10 NtQuerySection,	15_2_04F29A10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A00 NtProtectVirtualMemory,	15_2_04F29A00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2A3B0 NtGetContextThread,	15_2_04F2A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F297A0 NtUnmapViewOfSection,	15_2_04F297A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29770 NtSetInformationFile,	15_2_04F29770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2A770 NtOpenThread,	15_2_04F2A770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29760 NtOpenProcess,	15_2_04F29760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29730 NtQueryVirtualMemory,	15_2_04F29730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2A710 NtOpenProcessToken,	15_2_04F2A710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29B00 NtSetValueKey,	15_2_04F29B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE85B0 NtCreateFile,	15_2_00CE85B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE86E0 NtClose,	15_2_00CE86E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE8660 NtReadFile,	15_2_00CE8660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE8790 NtAllocateVirtualMemory,	15_2_00CE8790

Sample file is different than original file name gathered from version info

Source: 3cGH9Bakuq.exe, 00000000.00000002.691742777.0000000008740000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000000.00000002.686274674.000000000098A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000000.00000000.660737269.00000000002DC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000000.00000002.686799799.0000000002604000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameColladaLoader.dll4 vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000005.00000000.683042468.000000000013C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000006.00000002.780397796.0000000000C2A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000006.00000002.779961917.00000000004DC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000006.00000002.781097720.0000000000FCF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe

Source: 3cGH9Bakuq.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3cGH9Bakuq.exe	Virustotal: Detection: 26%
Source: 3cGH9Bakuq.exe	ReversingLabs: Detection: 22%

Source: 3cGH9Bakuq.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe 'C:\Users\user\Desktop\3cGH9Bakuq.exe'
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'	Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3cGH9Bakuq.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/1@6/4

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 3cGH9Bakuq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3cGH9Bakuq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: colorcpl.pdbGCTL source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: colorcpl.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe, 0000000F.00000002.929694645.0000000004EC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: 3cGH9Bakuq.exe, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.3cGH9Bakuq.exe.240000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.3cGH9Bakuq.exe.240000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.3cGH9Bakuq.exe.a0000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.3cGH9Bakuq.exe.440000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B6644F push esi; ret	0_2_04B66452
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B6644B push esi; ret	0_2_04B6644E
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66448 push esi; ret	0_2_04B6644A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66593 push esi; ret	0_2_04B6659A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B665D7 push edi; ret	0_2_04B665DA
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B665D5 push edi; ret	0_2_04B665D6
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66560 push esi; ret	0_2_04B66592
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66758 push edi; ret	0_2_04B6675A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00418846 pushad ; retf	6_2_00418847
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B85C push eax; ret	6_2_0041B862
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00415184 pushfd ; iretd	6_2_004151A3
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041CC51 push edx; ret	6_2_0041CC52
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041547D push es; retf	6_2_00415481
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00415DCA push 118C2D45h; retf	6_2_00415DCF
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B7F2 push eax; ret	6_2_0041B7F8
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B7FB push eax; ret	6_2_0041B862
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B7A5 push eax; ret	6_2_0041B7F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F3D0D1 push ecx; ret	15_2_04F3D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE8846 pushad ; retf	15_2_00CE8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CEB85C push eax; ret	15_2_00CEB862
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE5184 pushfd ; iretd	15_2_00CE51A3

Source: initial sample

Static PE information: section name: .text entropy: 7.30848087754

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'			Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.686799799.0000000002604000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3cGH9Bakuq.exe PID: 6452, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000CD8604 second address: 0000000000CD860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000CD898E second address: 0000000000CD8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe TID: 6960	Thread sleep time: -30795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe TID: 5224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2092	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2820	Thread sleep time: -34000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\colorcpl.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Code function: 6_2_004088C0 rdtsc

6_2_004088C0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread delayed: delay time: 30795			Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000000.690599352.0000000004710000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.714021097.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.732277196.000000000A897000.00000004.00000001.sdmp	Binary or memory string: 806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.726137723.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.714021097.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.761358356.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000007.00000000.700488613.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.730817576.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Code function: 6_2_004088C0 rdtsc

6_2_004088C0

Enables debug privileges

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA14FB mov eax, dword ptr fs:[00000030h]	15_2_04FA14FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE58EC mov eax, dword ptr fs:[00000030h]	15_2_04EE58EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66CF0 mov eax, dword ptr fs:[00000030h]	15_2_04F66CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66CF0 mov eax, dword ptr fs:[00000030h]	15_2_04F66CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66CF0 mov eax, dword ptr fs:[00000030h]	15_2_04F66CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov ecx, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8CD6 mov eax, dword ptr fs:[00000030h]	15_2_04FB8CD6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1F0BF mov ecx, dword ptr fs:[00000030h]	15_2_04F1F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1F0BF mov eax, dword ptr fs:[00000030h]	15_2_04F1F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1F0BF mov eax, dword ptr fs:[00000030h]	15_2_04F1F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F290AF mov eax, dword ptr fs:[00000030h]	15_2_04F290AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9080 mov eax, dword ptr fs:[00000030h]	15_2_04EE9080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F63884 mov eax, dword ptr fs:[00000030h]	15_2_04F63884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F63884 mov eax, dword ptr fs:[00000030h]	15_2_04F63884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF849B mov eax, dword ptr fs:[00000030h]	15_2_04EF849B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA2073 mov eax, dword ptr fs:[00000030h]	15_2_04FA2073
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB1074 mov eax, dword ptr fs:[00000030h]	15_2_04FB1074
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0746D mov eax, dword ptr fs:[00000030h]	15_2_04F0746D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F00050 mov eax, dword ptr fs:[00000030h]	15_2_04F00050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F00050 mov eax, dword ptr fs:[00000030h]	15_2_04F00050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7C450 mov eax, dword ptr fs:[00000030h]	15_2_04F7C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7C450 mov eax, dword ptr fs:[00000030h]	15_2_04F7C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A44B mov eax, dword ptr fs:[00000030h]	15_2_04F1A44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1BC2C mov eax, dword ptr fs:[00000030h]	15_2_04F1BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67016 mov eax, dword ptr fs:[00000030h]	15_2_04F67016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67016 mov eax, dword ptr fs:[00000030h]	15_2_04F67016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67016 mov eax, dword ptr fs:[00000030h]	15_2_04F67016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB4015 mov eax, dword ptr fs:[00000030h]	15_2_04FB4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB4015 mov eax, dword ptr fs:[00000030h]	15_2_04FB4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB740D mov eax, dword ptr fs:[00000030h]	15_2_04FB740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB740D mov eax, dword ptr fs:[00000030h]	15_2_04FB740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB740D mov eax, dword ptr fs:[00000030h]	15_2_04FB740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F98DF1 mov eax, dword ptr fs:[00000030h]	15_2_04F98DF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB1E1 mov eax, dword ptr fs:[00000030h]	15_2_04EEB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB1E1 mov eax, dword ptr fs:[00000030h]	15_2_04EEB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB1E1 mov eax, dword ptr fs:[00000030h]	15_2_04EEB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04EFD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04EFD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F741E8 mov eax, dword ptr fs:[00000030h]	15_2_04F741E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov ecx, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F11DB5 mov eax, dword ptr fs:[00000030h]	15_2_04F11DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F11DB5 mov eax, dword ptr fs:[00000030h]	15_2_04F11DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F11DB5 mov eax, dword ptr fs:[00000030h]	15_2_04F11DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F135A1 mov eax, dword ptr fs:[00000030h]	15_2_04F135A1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F669A6 mov eax, dword ptr fs:[00000030h]	15_2_04F669A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F161A0 mov eax, dword ptr fs:[00000030h]	15_2_04F161A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F161A0 mov eax, dword ptr fs:[00000030h]	15_2_04F161A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12990 mov eax, dword ptr fs:[00000030h]	15_2_04F12990
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1FD9B mov eax, dword ptr fs:[00000030h]	15_2_04F1FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1FD9B mov eax, dword ptr fs:[00000030h]	15_2_04F1FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0C182 mov eax, dword ptr fs:[00000030h]	15_2_04F0C182
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A185 mov eax, dword ptr fs:[00000030h]	15_2_04F1A185
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0C577 mov eax, dword ptr fs:[00000030h]	15_2_04F0C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0C577 mov eax, dword ptr fs:[00000030h]	15_2_04F0C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC962 mov eax, dword ptr fs:[00000030h]	15_2_04EEC962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB171 mov eax, dword ptr fs:[00000030h]	15_2_04EEB171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB171 mov eax, dword ptr fs:[00000030h]	15_2_04EEB171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F07D50 mov eax, dword ptr fs:[00000030h]	15_2_04F07D50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F23D43 mov eax, dword ptr fs:[00000030h]	15_2_04F23D43
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0B944 mov eax, dword ptr fs:[00000030h]	15_2_04F0B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0B944 mov eax, dword ptr fs:[00000030h]	15_2_04F0B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F63540 mov eax, dword ptr fs:[00000030h]	15_2_04F63540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F6A537 mov eax, dword ptr fs:[00000030h]	15_2_04F6A537
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14D3B mov eax, dword ptr fs:[00000030h]	15_2_04F14D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14D3B mov eax, dword ptr fs:[00000030h]	15_2_04F14D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14D3B mov eax, dword ptr fs:[00000030h]	15_2_04F14D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1513A mov eax, dword ptr fs:[00000030h]	15_2_04F1513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1513A mov eax, dword ptr fs:[00000030h]	15_2_04F1513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8D34 mov eax, dword ptr fs:[00000030h]	15_2_04FB8D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov ecx, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEAD30 mov eax, dword ptr fs:[00000030h]	15_2_04EEAD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9100 mov eax, dword ptr fs:[00000030h]	15_2_04EE9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9100 mov eax, dword ptr fs:[00000030h]	15_2_04EE9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9100 mov eax, dword ptr fs:[00000030h]	15_2_04EE9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF76E2 mov eax, dword ptr fs:[00000030h]	15_2_04EF76E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F116E0 mov ecx, dword ptr fs:[00000030h]	15_2_04F116E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12AE4 mov eax, dword ptr fs:[00000030h]	15_2_04F12AE4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8ED6 mov eax, dword ptr fs:[00000030h]	15_2_04FB8ED6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F28EC7 mov eax, dword ptr fs:[00000030h]	15_2_04F28EC7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9FEC0 mov eax, dword ptr fs:[00000030h]	15_2_04F9FEC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12ACB mov eax, dword ptr fs:[00000030h]	15_2_04F12ACB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F136CC mov eax, dword ptr fs:[00000030h]	15_2_04F136CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1FAB0 mov eax, dword ptr fs:[00000030h]	15_2_04F1FAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F646A7 mov eax, dword ptr fs:[00000030h]	15_2_04F646A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB0EA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB0EA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB0EA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04EFAAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04EFAAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1D294 mov eax, dword ptr fs:[00000030h]	15_2_04F1D294
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1D294 mov eax, dword ptr fs:[00000030h]	15_2_04F1D294
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7FE87 mov eax, dword ptr fs:[00000030h]	15_2_04F7FE87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF766D mov eax, dword ptr fs:[00000030h]	15_2_04EF766D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2927A mov eax, dword ptr fs:[00000030h]	15_2_04F2927A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9B260 mov eax, dword ptr fs:[00000030h]	15_2_04F9B260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9B260 mov eax, dword ptr fs:[00000030h]	15_2_04F9B260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8A62 mov eax, dword ptr fs:[00000030h]	15_2_04FB8A62
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F74257 mov eax, dword ptr fs:[00000030h]	15_2_04F74257
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9FE3F mov eax, dword ptr fs:[00000030h]	15_2_04F9FE3F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEE620 mov eax, dword ptr fs:[00000030h]	15_2_04EEE620
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F24A2C mov eax, dword ptr fs:[00000030h]	15_2_04F24A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F24A2C mov eax, dword ptr fs:[00000030h]	15_2_04F24A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF8A0A mov eax, dword ptr fs:[00000030h]	15_2_04EF8A0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F03A1C mov eax, dword ptr fs:[00000030h]	15_2_04F03A1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A61C mov eax, dword ptr fs:[00000030h]	15_2_04F1A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A61C mov eax, dword ptr fs:[00000030h]	15_2_04F1A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC600 mov eax, dword ptr fs:[00000030h]	15_2_04EEC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC600 mov eax, dword ptr fs:[00000030h]	15_2_04EEC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC600 mov eax, dword ptr fs:[00000030h]	15_2_04EEC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F18E00 mov eax, dword ptr fs:[00000030h]	15_2_04F18E00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEAA16 mov eax, dword ptr fs:[00000030h]	15_2_04EEAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEAA16 mov eax, dword ptr fs:[00000030h]	15_2_04EEAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov eax, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov ecx, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov eax, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov eax, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F237F5 mov eax, dword ptr fs:[00000030h]	15_2_04F237F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0DBE9 mov eax, dword ptr fs:[00000030h]	15_2_04F0DBE9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F653CA mov eax, dword ptr fs:[00000030h]	15_2_04F653CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F653CA mov eax, dword ptr fs:[00000030h]	15_2_04F653CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14BAD mov eax, dword ptr fs:[00000030h]	15_2_04F14BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14BAD mov eax, dword ptr fs:[00000030h]	15_2_04F14BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14BAD mov eax, dword ptr fs:[00000030h]	15_2_04F14BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB5BA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB5BA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF1B8F mov eax, dword ptr fs:[00000030h]	15_2_04EF1B8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF1B8F mov eax, dword ptr fs:[00000030h]	15_2_04EF1B8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1B390 mov eax, dword ptr fs:[00000030h]	15_2_04F1B390
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67794 mov eax, dword ptr fs:[00000030h]	15_2_04F67794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67794 mov eax, dword ptr fs:[00000030h]	15_2_04F67794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67794 mov eax, dword ptr fs:[00000030h]	15_2_04F67794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12397 mov eax, dword ptr fs:[00000030h]	15_2_04F12397
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA138A mov eax, dword ptr fs:[00000030h]	15_2_04FA138A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9D380 mov ecx, dword ptr fs:[00000030h]	15_2_04F9D380
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF8794 mov eax, dword ptr fs:[00000030h]	15_2_04EF8794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F13B7A mov eax, dword ptr fs:[00000030h]	15_2_04F13B7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F13B7A mov eax, dword ptr fs:[00000030h]	15_2_04F13B7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEDB60 mov ecx, dword ptr fs:[00000030h]	15_2_04EEDB60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFFF60 mov eax, dword ptr fs:[00000030h]	15_2_04EFFF60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8F6A mov eax, dword ptr fs:[00000030h]	15_2_04FB8F6A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8B58 mov eax, dword ptr fs:[00000030h]	15_2_04FB8B58
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEDB40 mov eax, dword ptr fs:[00000030h]	15_2_04EEDB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFEF40 mov eax, dword ptr fs:[00000030h]	15_2_04EFEF40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEF358 mov eax, dword ptr fs:[00000030h]	15_2_04EEF358
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE4F2E mov eax, dword ptr fs:[00000030h]	15_2_04EE4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE4F2E mov eax, dword ptr fs:[00000030h]	15_2_04EE4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1E730 mov eax, dword ptr fs:[00000030h]	15_2_04F1E730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA131B mov eax, dword ptr fs:[00000030h]	15_2_04FA131B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0F716 mov eax, dword ptr fs:[00000030h]	15_2_04F0F716
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7FF10 mov eax, dword ptr fs:[00000030h]	15_2_04F7FF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7FF10 mov eax, dword ptr fs:[00000030h]	15_2_04F7FF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB070D mov eax, dword ptr fs:[00000030h]	15_2_04FB070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB070D mov eax, dword ptr fs:[00000030h]	15_2_04FB070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A70E mov eax, dword ptr fs:[00000030h]	15_2_04F1A70E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A70E mov eax, dword ptr fs:[00000030h]	15_2_04F1A70E

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Code function: 6_2_00409B30 LdrLoadDll,

6_2_00409B30

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.marmorariapiramide.online
Source: C:\Windows\explorer.exe	Domain query: www.emptycc.net
Source: C:\Windows\explorer.exe	Domain query: www.traexcel.com
Source: C:\Windows\explorer.exe	Domain query: www.rangerbuddys.com
Source: C:\Windows\explorer.exe	Domain query: www.omniriot.com
Source: C:\Windows\explorer.exe	Network Connect: 104.143.9.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.vetpipes.com
Source: C:\Windows\explorer.exe	Network Connect: 143.198.15.243 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.208.82.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.11.189.189 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: DC0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Memory written: C:\Users\user\Desktop\3cGH9Bakuq.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3424	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000000.721665647.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.700488613.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Users\user\Desktop\3cGH9Bakuq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.143.9.211	www.vetpipes.com	United States	64200	VIVIDHOSTINGUS	false
143.198.15.243	marmorariapiramide.online	United States	15557	LDCOMNETFR	false
154.208.82.163	www.omniriot.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	false
103.11.189.189	www.rangerbuddys.com	Singapore	58621	VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG	false

Contacted Domains

Name	IP	Active
www.rangerbuddys.com	103.11.189.189	true
www.omniriot.com	154.208.82.163	true
marmorariapiramide.online	143.198.15.243	true
www.vetpipes.com	104.143.9.211	true
www.marmorariapiramide.online	unknown	unknown
www.emptycc.net	unknown	unknown
www.traexcel.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.vetpipes.com/scb0/?IN9dgxBh=gxg+zqdn+o0ww4uf8TcZaQyTsJgiXCW12nXRXcs11V7/zKzoeUyv6HeZPjVpo2wMT0Al&sVSH=CPDL8v1	true	Avira URL Cloud: safe	unknown
http://www.omniriot.com/scb0/?sVSH=CPDL8v1&IN9dgxBh=beKAYpkJja+K0I/DndBFcQmb1njbIlQSoH3Y/zfbdScl712FMHF3+aANQrs36cfLB01F	true	Avira URL Cloud: safe	unknown
http://www.rangerbuddys.com/scb0/?sVSH=CPDL8v1&IN9dgxBh=J7r5qQFPY3cJvABn1Gs7ze2qtK7SOzbffr49jA2eoV1JiGZLpH7+KoOsOPA+gXWondlu	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: 3cGH9Bakuq.exe	Virustotal: Detection: 26%			Perma Link
Source: 3cGH9Bakuq.exe	ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: 3cGH9Bakuq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3cGH9Bakuq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: colorcpl.pdbGCTL source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: colorcpl.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe, 0000000F.00000002.929694645.0000000004EC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 4x nop then pop ebx		6_2_00406ABF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop ebx		15_2_00CD6ABF

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.marmorariapiramide.online
Source: C:\Windows\explorer.exe	Domain query: www.emptycc.net
Source: C:\Windows\explorer.exe	Domain query: www.traexcel.com
Source: C:\Windows\explorer.exe	Domain query: www.rangerbuddys.com
Source: C:\Windows\explorer.exe	Domain query: www.omniriot.com
Source: C:\Windows\explorer.exe	Network Connect: 104.143.9.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.vetpipes.com
Source: C:\Windows\explorer.exe	Network Connect: 143.198.15.243 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.208.82.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.11.189.189 80	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /scb0/?IN9dgxBh=gxg+zqdn+o0ww4uf8TcZaQyTsJgiXCW12nXRXcs11V7/zKzoeUyv6HeZPjVpo2wMT0Al&sVSH=CPDL8v1 HTTP/1.1Host: www.vetpipes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=beKAYpkJja+K0I/DndBFcQmb1njbIlQSoH3Y/zfbdScl712FMHF3+aANQrs36cfLB01F HTTP/1.1Host: www.omniriot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=J7r5qQFPY3cJvABn1Gs7ze2qtK7SOzbffr49jA2eoV1JiGZLpH7+KoOsOPA+gXWondlu HTTP/1.1Host: www.rangerbuddys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: colorcpl.exe, 0000000F.00000002.930259419.0000000005572000.00000004.00020000.sdmp	String found in binary or memory: http://050005.voodoo.com/js/partner.js
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 3cGH9Bakuq.exe	String found in binary or memory: http://kr.battle.net/heroes/ko/
Source: 3cGH9Bakuq.exe	String found in binary or memory: http://kr.battle.net/heroes/ko/?https://twitter.com/Dalsae_info9https://twitter.com/hanalen_
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp, 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 3cGH9Bakuq.exe, 00000000.00000003.669096429.0000000005685000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 3cGH9Bakuq.exe, 00000000.00000003.667722258.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comh
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 3cGH9Bakuq.exe, 00000000.00000003.670846550.00000000056BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 3cGH9Bakuq.exe, 00000000.00000003.673691153.00000000056BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 3cGH9Bakuq.exe, 00000000.00000002.686643598.0000000000E77000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comdiafN
Source: 3cGH9Bakuq.exe, 00000000.00000002.686643598.0000000000E77000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comoW
Source: 3cGH9Bakuq.exe, 00000000.00000002.686643598.0000000000E77000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnA.
Source: 3cGH9Bakuq.exe, 00000000.00000003.667177411.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cned
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnenx
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnh-c
Source: 3cGH9Bakuq.exe, 00000000.00000003.667465516.0000000005687000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnorm
Source: 3cGH9Bakuq.exe, 00000000.00000003.676148683.00000000056B7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: colorcpl.exe, 0000000F.00000002.930259419.0000000005572000.00000004.00020000.sdmp	String found in binary or memory: http://www.vodien.com/
Source: colorcpl.exe, 0000000F.00000002.930259419.0000000005572000.00000004.00020000.sdmp	String found in binary or memory: http://www.vodien.com/singapore-email-hosting.php
Source: 3cGH9Bakuq.exe, 00000000.00000002.690381391.0000000006892000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 3cGH9Bakuq.exe, 00000000.00000003.667627044.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnA.
Source: 3cGH9Bakuq.exe, 00000000.00000003.667627044.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnenx
Source: 3cGH9Bakuq.exe, 00000000.00000003.667627044.0000000005686000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnh
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/account/verify_credentials.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/blocks/create.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/blocks/ids.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/direct_messages.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/direct_messages.jsonyhttps://api.twitter.com/1.1/friendships/no_retweets
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/create.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/destroy.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/list.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friends/ids.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friends/list.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friendships/no_retweets/ids.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/friendships/update.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/destroy/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.jsonahttps://upload.twitter.com/1.1/media/upload.
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/mentions_timeline.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/retweet/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/show.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/whttps://api.twitter.com/1.1/statuses/mentions_timeli
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.jsonwhttps://api.twitter.com/1.1/account/verify_c
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/1.1/users/lookup.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/oauth/access_token
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/oauth/authorize?oauth_token=
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://api.twitter.com/oauth/request_token
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://pbs.twimg.com/media/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://twitter.com/
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://twitter.com/Dalsae_info
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://twitter.com/hanalen_
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://upload.twitter.com/1.1/media/upload.json
Source: 3cGH9Bakuq.exe	String found in binary or memory: https://userstream.twitter.com/1.1/user.json

Source: unknown

DNS traffic detected: queries for: www.emptycc.net

Source: global traffic	HTTP traffic detected: GET /scb0/?IN9dgxBh=gxg+zqdn+o0ww4uf8TcZaQyTsJgiXCW12nXRXcs11V7/zKzoeUyv6HeZPjVpo2wMT0Al&sVSH=CPDL8v1 HTTP/1.1Host: www.vetpipes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=beKAYpkJja+K0I/DndBFcQmb1njbIlQSoH3Y/zfbdScl712FMHF3+aANQrs36cfLB01F HTTP/1.1Host: www.omniriot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /scb0/?sVSH=CPDL8v1&IN9dgxBh=J7r5qQFPY3cJvABn1Gs7ze2qtK7SOzbffr49jA2eoV1JiGZLpH7+KoOsOPA+gXWondlu HTTP/1.1Host: www.rangerbuddys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 3cGH9Bakuq.exe, 00000000.00000002.686274674.000000000098A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: 3cGH9Bakuq.exe, FlowPanelManager.cs	Long String: Length: 34816
Source: 0.0.3cGH9Bakuq.exe.240000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 0.2.3cGH9Bakuq.exe.240000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 5.2.3cGH9Bakuq.exe.a0000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 6.0.3cGH9Bakuq.exe.440000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816

Uses 32bit PE files

Source: 3cGH9Bakuq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 5_2_000A695C	5_2_000A695C
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B8DD	6_2_0041B8DD
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041C14C	6_2_0041C14C
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00408C6C	6_2_00408C6C
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00408C70	6_2_00408C70
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041CE9E	6_2_0041CE9E
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0044695C	6_2_0044695C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB090	15_2_04EFB090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF841F	15_2_04EF841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1002	15_2_04FA1002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFD5E0	15_2_04EFD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB1D55	15_2_04FB1D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE0D20	15_2_04EE0D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEF900	15_2_04EEF900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F06E30	15_2_04F06E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1EBB0	15_2_04F1EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CEB8DD	15_2_00CEB8DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CEC14C	15_2_00CEC14C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CED330	15_2_00CED330

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: String function: 04EEB150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004185B0 NtCreateFile,	6_2_004185B0
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00418660 NtReadFile,	6_2_00418660
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004186E0 NtClose,	6_2_004186E0
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00418790 NtAllocateVirtualMemory,	6_2_00418790
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004185AA NtCreateFile,	6_2_004185AA
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041865A NtReadFile,	6_2_0041865A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_004186DF NtClose,	6_2_004186DF
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041878D NtAllocateVirtualMemory,	6_2_0041878D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04F29860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29840 NtDelayExecution,LdrInitializeThunk,	15_2_04F29840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F295D0 NtClose,LdrInitializeThunk,	15_2_04F295D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F299A0 NtCreateSection,LdrInitializeThunk,	15_2_04F299A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29540 NtReadFile,LdrInitializeThunk,	15_2_04F29540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04F29910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F296E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04F296E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F296D0 NtCreateKey,LdrInitializeThunk,	15_2_04F296D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04F29660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29650 NtQueryValueKey,LdrInitializeThunk,	15_2_04F29650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A50 NtCreateFile,LdrInitializeThunk,	15_2_04F29A50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29FE0 NtCreateMutant,LdrInitializeThunk,	15_2_04F29FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29780 NtMapViewOfSection,LdrInitializeThunk,	15_2_04F29780
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29710 NtQueryInformationToken,LdrInitializeThunk,	15_2_04F29710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F298F0 NtReadVirtualMemory,	15_2_04F298F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F298A0 NtWriteVirtualMemory,	15_2_04F298A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2B040 NtSuspendThread,	15_2_04F2B040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29820 NtEnumerateKey,	15_2_04F29820
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F295F0 NtQueryInformationFile,	15_2_04F295F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F299D0 NtCreateProcessEx,	15_2_04F299D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29560 NtWriteFile,	15_2_04F29560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29950 NtQueueApcThread,	15_2_04F29950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2AD30 NtSetContextThread,	15_2_04F2AD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29520 NtWaitForSingleObject,	15_2_04F29520
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A80 NtOpenDirectoryObject,	15_2_04F29A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29670 NtQueryInformationProcess,	15_2_04F29670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A20 NtResumeThread,	15_2_04F29A20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29610 NtEnumerateValueKey,	15_2_04F29610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A10 NtQuerySection,	15_2_04F29A10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29A00 NtProtectVirtualMemory,	15_2_04F29A00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2A3B0 NtGetContextThread,	15_2_04F2A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F297A0 NtUnmapViewOfSection,	15_2_04F297A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29770 NtSetInformationFile,	15_2_04F29770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2A770 NtOpenThread,	15_2_04F2A770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29760 NtOpenProcess,	15_2_04F29760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29730 NtQueryVirtualMemory,	15_2_04F29730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2A710 NtOpenProcessToken,	15_2_04F2A710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F29B00 NtSetValueKey,	15_2_04F29B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE85B0 NtCreateFile,	15_2_00CE85B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE86E0 NtClose,	15_2_00CE86E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE8660 NtReadFile,	15_2_00CE8660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE8790 NtAllocateVirtualMemory,	15_2_00CE8790

Sample file is different than original file name gathered from version info

Source: 3cGH9Bakuq.exe, 00000000.00000002.691742777.0000000008740000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000000.00000002.686274674.000000000098A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000000.00000000.660737269.00000000002DC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000000.00000002.686799799.0000000002604000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameColladaLoader.dll4 vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000005.00000000.683042468.000000000013C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000006.00000002.780397796.0000000000C2A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000006.00000002.779961917.00000000004DC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe, 00000006.00000002.781097720.0000000000FCF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3cGH9Bakuq.exe
Source: 3cGH9Bakuq.exe	Binary or memory string: OriginalFilenameMCMWrapperDictiona.exe> vs 3cGH9Bakuq.exe

Source: 3cGH9Bakuq.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3cGH9Bakuq.exe	Virustotal: Detection: 26%
Source: 3cGH9Bakuq.exe	ReversingLabs: Detection: 22%

Source: 3cGH9Bakuq.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe 'C:\Users\user\Desktop\3cGH9Bakuq.exe'
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'	Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3cGH9Bakuq.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/1@6/4

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 3cGH9Bakuq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3cGH9Bakuq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: colorcpl.pdbGCTL source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: colorcpl.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.782303916.0000000002F00000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe, 0000000F.00000002.929694645.0000000004EC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 3cGH9Bakuq.exe, 00000006.00000002.780626005.0000000000EB0000.00000040.00000001.sdmp, colorcpl.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: 3cGH9Bakuq.exe, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.3cGH9Bakuq.exe.240000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.3cGH9Bakuq.exe.240000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.3cGH9Bakuq.exe.a0000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.3cGH9Bakuq.exe.440000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B6644F push esi; ret	0_2_04B66452
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B6644B push esi; ret	0_2_04B6644E
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66448 push esi; ret	0_2_04B6644A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66593 push esi; ret	0_2_04B6659A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B665D7 push edi; ret	0_2_04B665DA
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B665D5 push edi; ret	0_2_04B665D6
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66560 push esi; ret	0_2_04B66592
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 0_2_04B66758 push edi; ret	0_2_04B6675A
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00418846 pushad ; retf	6_2_00418847
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B85C push eax; ret	6_2_0041B862
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00415184 pushfd ; iretd	6_2_004151A3
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041CC51 push edx; ret	6_2_0041CC52
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041547D push es; retf	6_2_00415481
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_00415DCA push 118C2D45h; retf	6_2_00415DCF
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B7F2 push eax; ret	6_2_0041B7F8
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B7FB push eax; ret	6_2_0041B862
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Code function: 6_2_0041B7A5 push eax; ret	6_2_0041B7F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F3D0D1 push ecx; ret	15_2_04F3D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE8846 pushad ; retf	15_2_00CE8847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CEB85C push eax; ret	15_2_00CEB862
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_00CE5184 pushfd ; iretd	15_2_00CE51A3

Source: initial sample

Static PE information: section name: .text entropy: 7.30848087754

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'			Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.686799799.0000000002604000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3cGH9Bakuq.exe PID: 6452, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000CD8604 second address: 0000000000CD860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000CD898E second address: 0000000000CD8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe TID: 6960	Thread sleep time: -30795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe TID: 5224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2092	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2820	Thread sleep time: -34000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\colorcpl.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Code function: 6_2_004088C0 rdtsc

6_2_004088C0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread delayed: delay time: 30795			Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000000.690599352.0000000004710000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.714021097.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.732277196.000000000A897000.00000004.00000001.sdmp	Binary or memory string: 806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.726137723.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.714021097.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.761358356.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000007.00000000.700488613.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.730817576.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: 3cGH9Bakuq.exe, 00000000.00000002.686725719.00000000025B1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Code function: 6_2_004088C0 rdtsc

6_2_004088C0

Enables debug privileges

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA14FB mov eax, dword ptr fs:[00000030h]	15_2_04FA14FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE58EC mov eax, dword ptr fs:[00000030h]	15_2_04EE58EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66CF0 mov eax, dword ptr fs:[00000030h]	15_2_04F66CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66CF0 mov eax, dword ptr fs:[00000030h]	15_2_04F66CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66CF0 mov eax, dword ptr fs:[00000030h]	15_2_04F66CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov ecx, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7B8D0 mov eax, dword ptr fs:[00000030h]	15_2_04F7B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8CD6 mov eax, dword ptr fs:[00000030h]	15_2_04FB8CD6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1F0BF mov ecx, dword ptr fs:[00000030h]	15_2_04F1F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1F0BF mov eax, dword ptr fs:[00000030h]	15_2_04F1F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1F0BF mov eax, dword ptr fs:[00000030h]	15_2_04F1F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F120A0 mov eax, dword ptr fs:[00000030h]	15_2_04F120A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F290AF mov eax, dword ptr fs:[00000030h]	15_2_04F290AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9080 mov eax, dword ptr fs:[00000030h]	15_2_04EE9080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F63884 mov eax, dword ptr fs:[00000030h]	15_2_04F63884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F63884 mov eax, dword ptr fs:[00000030h]	15_2_04F63884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF849B mov eax, dword ptr fs:[00000030h]	15_2_04EF849B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA2073 mov eax, dword ptr fs:[00000030h]	15_2_04FA2073
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB1074 mov eax, dword ptr fs:[00000030h]	15_2_04FB1074
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0746D mov eax, dword ptr fs:[00000030h]	15_2_04F0746D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F00050 mov eax, dword ptr fs:[00000030h]	15_2_04F00050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F00050 mov eax, dword ptr fs:[00000030h]	15_2_04F00050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7C450 mov eax, dword ptr fs:[00000030h]	15_2_04F7C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7C450 mov eax, dword ptr fs:[00000030h]	15_2_04F7C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A44B mov eax, dword ptr fs:[00000030h]	15_2_04F1A44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFB02A mov eax, dword ptr fs:[00000030h]	15_2_04EFB02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1002D mov eax, dword ptr fs:[00000030h]	15_2_04F1002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1BC2C mov eax, dword ptr fs:[00000030h]	15_2_04F1BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67016 mov eax, dword ptr fs:[00000030h]	15_2_04F67016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67016 mov eax, dword ptr fs:[00000030h]	15_2_04F67016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67016 mov eax, dword ptr fs:[00000030h]	15_2_04F67016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB4015 mov eax, dword ptr fs:[00000030h]	15_2_04FB4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB4015 mov eax, dword ptr fs:[00000030h]	15_2_04FB4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB740D mov eax, dword ptr fs:[00000030h]	15_2_04FB740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB740D mov eax, dword ptr fs:[00000030h]	15_2_04FB740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB740D mov eax, dword ptr fs:[00000030h]	15_2_04FB740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA1C06 mov eax, dword ptr fs:[00000030h]	15_2_04FA1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66C0A mov eax, dword ptr fs:[00000030h]	15_2_04F66C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F98DF1 mov eax, dword ptr fs:[00000030h]	15_2_04F98DF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB1E1 mov eax, dword ptr fs:[00000030h]	15_2_04EEB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB1E1 mov eax, dword ptr fs:[00000030h]	15_2_04EEB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB1E1 mov eax, dword ptr fs:[00000030h]	15_2_04EEB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04EFD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04EFD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F741E8 mov eax, dword ptr fs:[00000030h]	15_2_04F741E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov ecx, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F66DC9 mov eax, dword ptr fs:[00000030h]	15_2_04F66DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F11DB5 mov eax, dword ptr fs:[00000030h]	15_2_04F11DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F11DB5 mov eax, dword ptr fs:[00000030h]	15_2_04F11DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F11DB5 mov eax, dword ptr fs:[00000030h]	15_2_04F11DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F651BE mov eax, dword ptr fs:[00000030h]	15_2_04F651BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F135A1 mov eax, dword ptr fs:[00000030h]	15_2_04F135A1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F669A6 mov eax, dword ptr fs:[00000030h]	15_2_04F669A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F161A0 mov eax, dword ptr fs:[00000030h]	15_2_04F161A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F161A0 mov eax, dword ptr fs:[00000030h]	15_2_04F161A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12990 mov eax, dword ptr fs:[00000030h]	15_2_04F12990
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE2D8A mov eax, dword ptr fs:[00000030h]	15_2_04EE2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1FD9B mov eax, dword ptr fs:[00000030h]	15_2_04F1FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1FD9B mov eax, dword ptr fs:[00000030h]	15_2_04F1FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12581 mov eax, dword ptr fs:[00000030h]	15_2_04F12581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0C182 mov eax, dword ptr fs:[00000030h]	15_2_04F0C182
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A185 mov eax, dword ptr fs:[00000030h]	15_2_04F1A185
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0C577 mov eax, dword ptr fs:[00000030h]	15_2_04F0C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0C577 mov eax, dword ptr fs:[00000030h]	15_2_04F0C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC962 mov eax, dword ptr fs:[00000030h]	15_2_04EEC962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB171 mov eax, dword ptr fs:[00000030h]	15_2_04EEB171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEB171 mov eax, dword ptr fs:[00000030h]	15_2_04EEB171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F07D50 mov eax, dword ptr fs:[00000030h]	15_2_04F07D50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F23D43 mov eax, dword ptr fs:[00000030h]	15_2_04F23D43
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0B944 mov eax, dword ptr fs:[00000030h]	15_2_04F0B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0B944 mov eax, dword ptr fs:[00000030h]	15_2_04F0B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F63540 mov eax, dword ptr fs:[00000030h]	15_2_04F63540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F6A537 mov eax, dword ptr fs:[00000030h]	15_2_04F6A537
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14D3B mov eax, dword ptr fs:[00000030h]	15_2_04F14D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14D3B mov eax, dword ptr fs:[00000030h]	15_2_04F14D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14D3B mov eax, dword ptr fs:[00000030h]	15_2_04F14D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1513A mov eax, dword ptr fs:[00000030h]	15_2_04F1513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1513A mov eax, dword ptr fs:[00000030h]	15_2_04F1513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8D34 mov eax, dword ptr fs:[00000030h]	15_2_04FB8D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov eax, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F04120 mov ecx, dword ptr fs:[00000030h]	15_2_04F04120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF3D34 mov eax, dword ptr fs:[00000030h]	15_2_04EF3D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEAD30 mov eax, dword ptr fs:[00000030h]	15_2_04EEAD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9100 mov eax, dword ptr fs:[00000030h]	15_2_04EE9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9100 mov eax, dword ptr fs:[00000030h]	15_2_04EE9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9100 mov eax, dword ptr fs:[00000030h]	15_2_04EE9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF76E2 mov eax, dword ptr fs:[00000030h]	15_2_04EF76E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F116E0 mov ecx, dword ptr fs:[00000030h]	15_2_04F116E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12AE4 mov eax, dword ptr fs:[00000030h]	15_2_04F12AE4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8ED6 mov eax, dword ptr fs:[00000030h]	15_2_04FB8ED6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F28EC7 mov eax, dword ptr fs:[00000030h]	15_2_04F28EC7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9FEC0 mov eax, dword ptr fs:[00000030h]	15_2_04F9FEC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12ACB mov eax, dword ptr fs:[00000030h]	15_2_04F12ACB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F136CC mov eax, dword ptr fs:[00000030h]	15_2_04F136CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1FAB0 mov eax, dword ptr fs:[00000030h]	15_2_04F1FAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE52A5 mov eax, dword ptr fs:[00000030h]	15_2_04EE52A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F646A7 mov eax, dword ptr fs:[00000030h]	15_2_04F646A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB0EA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB0EA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB0EA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04EFAAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04EFAAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1D294 mov eax, dword ptr fs:[00000030h]	15_2_04F1D294
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1D294 mov eax, dword ptr fs:[00000030h]	15_2_04F1D294
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7FE87 mov eax, dword ptr fs:[00000030h]	15_2_04F7FE87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF766D mov eax, dword ptr fs:[00000030h]	15_2_04EF766D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0AE73 mov eax, dword ptr fs:[00000030h]	15_2_04F0AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F2927A mov eax, dword ptr fs:[00000030h]	15_2_04F2927A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9B260 mov eax, dword ptr fs:[00000030h]	15_2_04F9B260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9B260 mov eax, dword ptr fs:[00000030h]	15_2_04F9B260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8A62 mov eax, dword ptr fs:[00000030h]	15_2_04FB8A62
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F74257 mov eax, dword ptr fs:[00000030h]	15_2_04F74257
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE9240 mov eax, dword ptr fs:[00000030h]	15_2_04EE9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF7E41 mov eax, dword ptr fs:[00000030h]	15_2_04EF7E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9FE3F mov eax, dword ptr fs:[00000030h]	15_2_04F9FE3F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEE620 mov eax, dword ptr fs:[00000030h]	15_2_04EEE620
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F24A2C mov eax, dword ptr fs:[00000030h]	15_2_04F24A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F24A2C mov eax, dword ptr fs:[00000030h]	15_2_04F24A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF8A0A mov eax, dword ptr fs:[00000030h]	15_2_04EF8A0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F03A1C mov eax, dword ptr fs:[00000030h]	15_2_04F03A1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A61C mov eax, dword ptr fs:[00000030h]	15_2_04F1A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A61C mov eax, dword ptr fs:[00000030h]	15_2_04F1A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC600 mov eax, dword ptr fs:[00000030h]	15_2_04EEC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC600 mov eax, dword ptr fs:[00000030h]	15_2_04EEC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEC600 mov eax, dword ptr fs:[00000030h]	15_2_04EEC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F18E00 mov eax, dword ptr fs:[00000030h]	15_2_04F18E00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEAA16 mov eax, dword ptr fs:[00000030h]	15_2_04EEAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEAA16 mov eax, dword ptr fs:[00000030h]	15_2_04EEAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov eax, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov ecx, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov eax, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE5210 mov eax, dword ptr fs:[00000030h]	15_2_04EE5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F237F5 mov eax, dword ptr fs:[00000030h]	15_2_04F237F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F103E2 mov eax, dword ptr fs:[00000030h]	15_2_04F103E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0DBE9 mov eax, dword ptr fs:[00000030h]	15_2_04F0DBE9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F653CA mov eax, dword ptr fs:[00000030h]	15_2_04F653CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F653CA mov eax, dword ptr fs:[00000030h]	15_2_04F653CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14BAD mov eax, dword ptr fs:[00000030h]	15_2_04F14BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14BAD mov eax, dword ptr fs:[00000030h]	15_2_04F14BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F14BAD mov eax, dword ptr fs:[00000030h]	15_2_04F14BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB5BA5 mov eax, dword ptr fs:[00000030h]	15_2_04FB5BA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF1B8F mov eax, dword ptr fs:[00000030h]	15_2_04EF1B8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF1B8F mov eax, dword ptr fs:[00000030h]	15_2_04EF1B8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1B390 mov eax, dword ptr fs:[00000030h]	15_2_04F1B390
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67794 mov eax, dword ptr fs:[00000030h]	15_2_04F67794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67794 mov eax, dword ptr fs:[00000030h]	15_2_04F67794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F67794 mov eax, dword ptr fs:[00000030h]	15_2_04F67794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F12397 mov eax, dword ptr fs:[00000030h]	15_2_04F12397
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA138A mov eax, dword ptr fs:[00000030h]	15_2_04FA138A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F9D380 mov ecx, dword ptr fs:[00000030h]	15_2_04F9D380
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EF8794 mov eax, dword ptr fs:[00000030h]	15_2_04EF8794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F13B7A mov eax, dword ptr fs:[00000030h]	15_2_04F13B7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F13B7A mov eax, dword ptr fs:[00000030h]	15_2_04F13B7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEDB60 mov ecx, dword ptr fs:[00000030h]	15_2_04EEDB60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFFF60 mov eax, dword ptr fs:[00000030h]	15_2_04EFFF60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8F6A mov eax, dword ptr fs:[00000030h]	15_2_04FB8F6A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB8B58 mov eax, dword ptr fs:[00000030h]	15_2_04FB8B58
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEDB40 mov eax, dword ptr fs:[00000030h]	15_2_04EEDB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EFEF40 mov eax, dword ptr fs:[00000030h]	15_2_04EFEF40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EEF358 mov eax, dword ptr fs:[00000030h]	15_2_04EEF358
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE4F2E mov eax, dword ptr fs:[00000030h]	15_2_04EE4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04EE4F2E mov eax, dword ptr fs:[00000030h]	15_2_04EE4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1E730 mov eax, dword ptr fs:[00000030h]	15_2_04F1E730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FA131B mov eax, dword ptr fs:[00000030h]	15_2_04FA131B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F0F716 mov eax, dword ptr fs:[00000030h]	15_2_04F0F716
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7FF10 mov eax, dword ptr fs:[00000030h]	15_2_04F7FF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F7FF10 mov eax, dword ptr fs:[00000030h]	15_2_04F7FF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB070D mov eax, dword ptr fs:[00000030h]	15_2_04FB070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04FB070D mov eax, dword ptr fs:[00000030h]	15_2_04FB070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A70E mov eax, dword ptr fs:[00000030h]	15_2_04F1A70E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04F1A70E mov eax, dword ptr fs:[00000030h]	15_2_04F1A70E

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Code function: 6_2_00409B30 LdrLoadDll,

6_2_00409B30

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.marmorariapiramide.online
Source: C:\Windows\explorer.exe	Domain query: www.emptycc.net
Source: C:\Windows\explorer.exe	Domain query: www.traexcel.com
Source: C:\Windows\explorer.exe	Domain query: www.rangerbuddys.com
Source: C:\Windows\explorer.exe	Domain query: www.omniriot.com
Source: C:\Windows\explorer.exe	Network Connect: 104.143.9.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.vetpipes.com
Source: C:\Windows\explorer.exe	Network Connect: 143.198.15.243 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.208.82.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.11.189.189 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: DC0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Memory written: C:\Users\user\Desktop\3cGH9Bakuq.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3424	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Process created: C:\Users\user\Desktop\3cGH9Bakuq.exe C:\Users\user\Desktop\3cGH9Bakuq.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3cGH9Bakuq.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000000.721665647.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.759104586.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 0000000F.00000002.929454695.0000000003770000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.700488613.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Users\user\Desktop\3cGH9Bakuq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3cGH9Bakuq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3cGH9Bakuq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3775cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.3cGH9Bakuq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.3828370.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3cGH9Bakuq.exe.37fc950.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.929569610.0000000004CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687646701.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.716031426.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.738903713.000000000DA49000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.928514787.0000000000CD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.779648624.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.929541418.0000000004C80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780291616.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.780216392.0000000000A10000.00000040.00020000.sdmp, type: MEMORY

ID:	491574
Product:	CloudBasic
Start time:	18:02:45
Start date:	27.09.2021
Sample:	3cGH9Bakuq
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0eca879131a7b104418b085db7f761c3
SHA1:	07fa4692aa15a409091bc6190bf33b5942db99e6
SHA256:	166559731ad15341f955bf8a16708f93542bef868c33f02f70e9b27f57b991a3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report 3cGH9Bakuq

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs