Windows Analysis Report commercial invoice_010202201.exe

AV Detection:

Found malware configuration

Source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.toposales.com/igwa/"], "decoy": ["listingswithalex.com", "funtabse.com", "aydenwalling.com", "prochal.net", "superfoodsnederland.com", "moldluck.com", "dianekgordon.store", "regionalhomescommercial.com", "mysecuritymadesimple.com", "malwaremastery.com", "kodaikeiko.com", "jrzg996.com", "agricurve.net", "songlingjiu.com", "virginianundahfishingclub.com", "friendschance.com", "pastelpresents.com", "answertitles.com", "survival-hunter.com", "nxfddl.com", "traditionnevertrend.com", "agrovessel.com", "unicorm.digital", "cucumboy.com", "alemdogarimpo.com", "laraful.com", "hexwaa.com", "hanu21st.com", "knoycia.com", "qishengxing.com", "gopipurespices.com", "fdkkrfidkdslsieofkld.info", "elephantspublications.online", "valeriebeijing.com", "xn--42cg2czax6ptae6a.com", "2shengman.com", "sfcshavedice.com", "ragworkhouse.com", "stardomfrokch.xyz", "exoticcenterfold.com", "eventosartifice.com", "test-order-noren.com", "110bao.com", "face-pro.online", "freedomoff.com", "futuresep.com", "tremblock.com", "chocolat-gillotte.com", "speclove.com", "ddflsl.com", "goodnewsmbc.net", "cloudtotaal.com", "goapps-auth.com", "ouch247max.com", "sabra-sd.com", "luxuryneverhurt.art", "rxvendorpills.online", "ludowinners.online", "placemyorder.online", "skyrim.company", "monsterlecturer.com", "controle-fiscal.com", "phoenixinjurylawyer.online", "nanoheadgames.com"]}

Multi AV Scanner detection for submitted file

Source: commercial invoice_010202201.exe

ReversingLabs: Detection: 37%

Yara detected FormBook

Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.toposales.com/igwa/?JXRL2Htp=ma6dGeieA/uMuLPHhGmEMO0MhvgJCSwWTtOunmNNbuA50fkYJarGKThxl5bT79VqZFZn&2dyD8R=k0GL	Avira URL Cloud: Label: malware
Source: http://www.stardomfrokch.xyz/igwa/?JXRL2Htp=fxfNgp9ZS8bh2/dcez9r/a5fPpTZli2HVK4HIQKX3jCJ31NosuhFm2CAaUmyjrkPXZG7&2dyD8R=k0GL	Avira URL Cloud: Label: malware
Source: www.toposales.com/igwa/	Avira URL Cloud: Label: malware
Source: http://www.answertitles.com/igwa/?JXRL2Htp=zipQeNKESZPqCbLQlDCLj4zpqFgOpmaVmA6du1Oyf7pRL9Y+oEdiiyDWqjEEpcoXahJo&2dyD8R=k0GL	Avira URL Cloud: Label: malware
Source: http://www.rxvendorpills.online/igwa/?JXRL2Htp=pt5DjHHXKdbYY+ulYudT7OdutHPMSBHvoYqZ/+0K/RDZ4aBmJwtpu5HKuc6CLarugF7n&2dyD8R=k0GL	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nshDF13.tmp\uajs.dll

ReversingLabs: Detection: 16%

Machine Learning detection for sample

Source: commercial invoice_010202201.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.colorcpl.exe.b83930.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.commercial invoice_010202201.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.commercial invoice_010202201.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.commercial invoice_010202201.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.commercial invoice_010202201.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.commercial invoice_010202201.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.commercial invoice_010202201.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.colorcpl.exe.4e3796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: commercial invoice_010202201.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:	Binary string: colorcpl.pdbGCTL source: commercial invoice_010202201.exe, 00000001.00000002.734183183.0000000000960000.00000040.00020000.sdmp
Source:	Binary string: colorcpl.pdb source: commercial invoice_010202201.exe, 00000001.00000002.734183183.0000000000960000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: commercial invoice_010202201.exe, 00000000.00000003.681356710.00000000030A0000.00000004.00000001.sdmp, commercial invoice_010202201.exe, 00000000.00000003.683908574.0000000003230000.00000004.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000002.734202517.00000000009D0000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000002.734364645.0000000000AEF000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000003.684222462.00000000006A0000.00000004.00000001.sdmp, colorcpl.exe, 00000007.00000002.944151655.0000000004A1F000.00000040.00000001.sdmp, colorcpl.exe, 00000007.00000002.944001082.0000000004900000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: commercial invoice_010202201.exe, commercial invoice_010202201.exe, 00000001.00000002.734202517.00000000009D0000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000002.734364645.0000000000AEF000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000003.684222462.00000000006A0000.00000004.00000001.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.944151655.0000000004A1F000.00000040.00000001.sdmp, colorcpl.exe, 00000007.00000002.944001082.0000000004900000.00000040.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,		0_2_00405D7C
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_004053AA
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_00402630 FindFirstFileA,		0_2_00402630

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49817 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49846 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49846 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49846 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.sfcshavedice.com
Source: C:\Windows\explorer.exe	Domain query: www.survival-hunter.com
Source: C:\Windows\explorer.exe	Domain query: www.ludowinners.online
Source: C:\Windows\explorer.exe	Domain query: www.moldluck.com
Source: C:\Windows\explorer.exe	Network Connect: 118.67.131.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.200 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 109.106.254.15 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.answertitles.com
Source: C:\Windows\explorer.exe	Domain query: www.stardomfrokch.xyz
Source: C:\Windows\explorer.exe	Domain query: www.toposales.com
Source: C:\Windows\explorer.exe	Domain query: www.friendschance.com
Source: C:\Windows\explorer.exe	Domain query: www.cloudtotaal.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.211 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.rxvendorpills.online
Source: C:\Windows\explorer.exe	Domain query: www.controle-fiscal.com
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 89.17.204.228 80			Jump to behavior

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.stardomfrokch.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.toposales.com/igwa/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLEAR-AS-APClearNetworksPtyLtdAU CLEAR-AS-APClearNetworksPtyLtdAU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=zipQeNKESZPqCbLQlDCLj4zpqFgOpmaVmA6du1Oyf7pRL9Y+oEdiiyDWqjEEpcoXahJo&2dyD8R=k0GL HTTP/1.1Host: www.answertitles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=kcJK5GFpDKPtevBg1nN4AS2uwE6IDbqQL9Esa69lHd4fhlo3nfdugBZ3P+KHWdbb77iO&2dyD8R=k0GL HTTP/1.1Host: www.friendschance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=iLZ1RFWiw0U4S9E0pDZlJcjoptUhYXlNWk90HzYHcuVmRCYph1Gowzt+bYvcpjSVMV+b&2dyD8R=k0GL HTTP/1.1Host: www.sfcshavedice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=pt5DjHHXKdbYY+ulYudT7OdutHPMSBHvoYqZ/+0K/RDZ4aBmJwtpu5HKuc6CLarugF7n&2dyD8R=k0GL HTTP/1.1Host: www.rxvendorpills.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=P7cOGMhGan+iOds35nuUwcQL6AiWu3hpp80V2Eae8ndsAihNyn6owzlv0a79YI8S4Mj0&2dyD8R=k0GL HTTP/1.1Host: www.ludowinners.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=fxfNgp9ZS8bh2/dcez9r/a5fPpTZli2HVK4HIQKX3jCJ31NosuhFm2CAaUmyjrkPXZG7&2dyD8R=k0GL HTTP/1.1Host: www.stardomfrokch.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=ma6dGeieA/uMuLPHhGmEMO0MhvgJCSwWTtOunmNNbuA50fkYJarGKThxl5bT79VqZFZn&2dyD8R=k0GL HTTP/1.1Host: www.toposales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=XkWoyKtjfo1nTXOdSlOCxSRnTVDbDlQTsKZVtKCHx1ue89AIkDfi+mwVckT9NwCZj6NC&2dyD8R=k0GL HTTP/1.1Host: www.survival-hunter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 118.67.131.217 118.67.131.217
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 14 Jan 2022 09:21:52 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Fri, 26 Mar 2021 09:43:38 GMTetag: "999-605dacca-1fd7389c82cb2d72;;;"accept-ranges: bytescontent-length: 2457date: Fri, 14 Jan 2022 09:21:58 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 14 Jan 2022 09:22:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 162X-Sorting-Hat-ShopId: 59837907107X-Dc: gcp-europe-west1X-Request-ID: aa596adc-d6ad-4249-95ff-1ddd0936ac81X-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd5cc745a4f4eda-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">

URLs found in memory or binary data

Source: commercial invoice_010202201.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: commercial invoice_010202201.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: colorcpl.exe, 00000007.00000002.944462814.0000000004FB2000.00000004.00020000.sdmp	String found in binary or memory: https://www.survival-hunter.com/igwa/?JXRL2Htp=XkWoyKtjfo1nTXOdSlOCxSRnTVDbDlQTsKZVtKCHx1ue89AIkDfi

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.answertitles.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=zipQeNKESZPqCbLQlDCLj4zpqFgOpmaVmA6du1Oyf7pRL9Y+oEdiiyDWqjEEpcoXahJo&2dyD8R=k0GL HTTP/1.1Host: www.answertitles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=kcJK5GFpDKPtevBg1nN4AS2uwE6IDbqQL9Esa69lHd4fhlo3nfdugBZ3P+KHWdbb77iO&2dyD8R=k0GL HTTP/1.1Host: www.friendschance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=iLZ1RFWiw0U4S9E0pDZlJcjoptUhYXlNWk90HzYHcuVmRCYph1Gowzt+bYvcpjSVMV+b&2dyD8R=k0GL HTTP/1.1Host: www.sfcshavedice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=pt5DjHHXKdbYY+ulYudT7OdutHPMSBHvoYqZ/+0K/RDZ4aBmJwtpu5HKuc6CLarugF7n&2dyD8R=k0GL HTTP/1.1Host: www.rxvendorpills.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=P7cOGMhGan+iOds35nuUwcQL6AiWu3hpp80V2Eae8ndsAihNyn6owzlv0a79YI8S4Mj0&2dyD8R=k0GL HTTP/1.1Host: www.ludowinners.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=fxfNgp9ZS8bh2/dcez9r/a5fPpTZli2HVK4HIQKX3jCJ31NosuhFm2CAaUmyjrkPXZG7&2dyD8R=k0GL HTTP/1.1Host: www.stardomfrokch.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=ma6dGeieA/uMuLPHhGmEMO0MhvgJCSwWTtOunmNNbuA50fkYJarGKThxl5bT79VqZFZn&2dyD8R=k0GL HTTP/1.1Host: www.toposales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igwa/?JXRL2Htp=XkWoyKtjfo1nTXOdSlOCxSRnTVDbDlQTsKZVtKCHx1ue89AIkDfi+mwVckT9NwCZj6NC&2dyD8R=k0GL HTTP/1.1Host: www.survival-hunter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404F61

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: commercial invoice_010202201.exe

Executable has a suspicious name (potential lure to open the executable)

Source: commercial invoice_010202201.exe

Static file information: Suspicious name

Uses 32bit PE files

Source: commercial invoice_010202201.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403225

Detected potential crypto function

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_0040604C		0_2_0040604C
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_00404772		0_2_00404772
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00401030		1_2_00401030
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041C999		1_2_0041C999
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_004012FB		1_2_004012FB
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041BBF4		1_2_0041BBF4
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041CBF4		1_2_0041CBF4
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00408C7D		1_2_00408C7D
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00408C80		1_2_00408C80
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041BD5A		1_2_0041BD5A
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00402D90		1_2_00402D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493B090		7_2_0493B090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049520A0		7_2_049520A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F20A8		7_2_049F20A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493841F		7_2_0493841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1002		7_2_049E1002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952581		7_2_04952581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493D5E0		7_2_0493D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492F900		7_2_0492F900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F2D07		7_2_049F2D07
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04920D20		7_2_04920D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04944120		7_2_04944120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F1D55		7_2_049F1D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F22AE		7_2_049F22AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F2EF7		7_2_049F2EF7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04946E30		7_2_04946E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495EBB0		7_2_0495EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049EDBD2		7_2_049EDBD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F1FF1		7_2_049F1FF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F2B28		7_2_049F2B28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085C999		7_2_0085C999
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085CBF4		7_2_0085CBF4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00848C80		7_2_00848C80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00848C7D		7_2_00848C7D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00842D90		7_2_00842D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00842FB0		7_2_00842FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: String function: 0492B150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_004185E0 NtCreateFile,		1_2_004185E0
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00418690 NtReadFile,		1_2_00418690
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00418710 NtClose,		1_2_00418710
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_004187C0 NtAllocateVirtualMemory,		1_2_004187C0
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_004185DA NtCreateFile,		1_2_004185DA
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00418632 NtCreateFile,		1_2_00418632
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041868C NtReadFile,		1_2_0041868C
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041870B NtClose,		1_2_0041870B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969840 NtDelayExecution,LdrInitializeThunk,		7_2_04969840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969860 NtQuerySystemInformation,LdrInitializeThunk,		7_2_04969860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049699A0 NtCreateSection,LdrInitializeThunk,		7_2_049699A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049695D0 NtClose,LdrInitializeThunk,		7_2_049695D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969910 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_04969910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969540 NtReadFile,LdrInitializeThunk,		7_2_04969540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049696D0 NtCreateKey,LdrInitializeThunk,		7_2_049696D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049696E0 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_049696E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969650 NtQueryValueKey,LdrInitializeThunk,		7_2_04969650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969A50 NtCreateFile,LdrInitializeThunk,		7_2_04969A50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969660 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_04969660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969780 NtMapViewOfSection,LdrInitializeThunk,		7_2_04969780
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969FE0 NtCreateMutant,LdrInitializeThunk,		7_2_04969FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969710 NtQueryInformationToken,LdrInitializeThunk,		7_2_04969710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049698A0 NtWriteVirtualMemory,		7_2_049698A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049698F0 NtReadVirtualMemory,		7_2_049698F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969820 NtEnumerateKey,		7_2_04969820
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0496B040 NtSuspendThread,		7_2_0496B040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049699D0 NtCreateProcessEx,		7_2_049699D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049695F0 NtQueryInformationFile,		7_2_049695F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0496AD30 NtSetContextThread,		7_2_0496AD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969520 NtWaitForSingleObject,		7_2_04969520
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969950 NtQueueApcThread,		7_2_04969950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969560 NtWriteFile,		7_2_04969560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969A80 NtOpenDirectoryObject,		7_2_04969A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969610 NtEnumerateValueKey,		7_2_04969610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969A10 NtQuerySection,		7_2_04969A10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969A00 NtProtectVirtualMemory,		7_2_04969A00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969A20 NtResumeThread,		7_2_04969A20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969670 NtQueryInformationProcess,		7_2_04969670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0496A3B0 NtGetContextThread,		7_2_0496A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049697A0 NtUnmapViewOfSection,		7_2_049697A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0496A710 NtOpenProcessToken,		7_2_0496A710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969B00 NtSetValueKey,		7_2_04969B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969730 NtQueryVirtualMemory,		7_2_04969730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969770 NtSetInformationFile,		7_2_04969770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0496A770 NtOpenThread,		7_2_0496A770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04969760 NtOpenProcess,		7_2_04969760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_008585E0 NtCreateFile,		7_2_008585E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00858690 NtReadFile,		7_2_00858690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_008587C0 NtAllocateVirtualMemory,		7_2_008587C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00858710 NtClose,		7_2_00858710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_008585DA NtCreateFile,		7_2_008585DA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085868C NtReadFile,		7_2_0085868C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00858632 NtCreateFile,		7_2_00858632
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_008587BA NtAllocateVirtualMemory,		7_2_008587BA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085870B NtClose,		7_2_0085870B

Sample file is different than original file name gathered from version info

Source: commercial invoice_010202201.exe, 00000000.00000003.680455463.000000000334F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs commercial invoice_010202201.exe
Source: commercial invoice_010202201.exe, 00000000.00000003.683859320.00000000031B6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs commercial invoice_010202201.exe
Source: commercial invoice_010202201.exe, 00000001.00000003.684401687.00000000007B6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs commercial invoice_010202201.exe
Source: commercial invoice_010202201.exe, 00000001.00000002.734189750.0000000000963000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs commercial invoice_010202201.exe
Source: commercial invoice_010202201.exe, 00000001.00000002.734588658.0000000000C7F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs commercial invoice_010202201.exe
Source: commercial invoice_010202201.exe, 00000001.00000002.734364645.0000000000AEF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs commercial invoice_010202201.exe

Sample is known by Antivirus

Source: commercial invoice_010202201.exe

ReversingLabs: Detection: 37%

Sample reads its own file content

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

File read: C:\Users\user\Desktop\commercial invoice_010202201.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: commercial invoice_010202201.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\commercial invoice_010202201.exe "C:\Users\user\Desktop\commercial invoice_010202201.exe"
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Process created: C:\Users\user\Desktop\commercial invoice_010202201.exe "C:\Users\user\Desktop\commercial invoice_010202201.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\commercial invoice_010202201.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Process created: C:\Users\user\Desktop\commercial invoice_010202201.exe "C:\Users\user\Desktop\commercial invoice_010202201.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\commercial invoice_010202201.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

File created: C:\Users\user\AppData\Local\Temp\nshDF11.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@14/7

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Reads ini files

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404275

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_01

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: colorcpl.pdbGCTL source: commercial invoice_010202201.exe, 00000001.00000002.734183183.0000000000960000.00000040.00020000.sdmp
Source:	Binary string: colorcpl.pdb source: commercial invoice_010202201.exe, 00000001.00000002.734183183.0000000000960000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: commercial invoice_010202201.exe, 00000000.00000003.681356710.00000000030A0000.00000004.00000001.sdmp, commercial invoice_010202201.exe, 00000000.00000003.683908574.0000000003230000.00000004.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000002.734202517.00000000009D0000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000002.734364645.0000000000AEF000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000003.684222462.00000000006A0000.00000004.00000001.sdmp, colorcpl.exe, 00000007.00000002.944151655.0000000004A1F000.00000040.00000001.sdmp, colorcpl.exe, 00000007.00000002.944001082.0000000004900000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: commercial invoice_010202201.exe, commercial invoice_010202201.exe, 00000001.00000002.734202517.00000000009D0000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000002.734364645.0000000000AEF000.00000040.00000001.sdmp, commercial invoice_010202201.exe, 00000001.00000003.684222462.00000000006A0000.00000004.00000001.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.944151655.0000000004A1F000.00000040.00000001.sdmp, colorcpl.exe, 00000007.00000002.944001082.0000000004900000.00000040.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_72B21000 push eax; ret		0_2_72B2102E
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_0019FD3D push ss; ret		0_2_0019FD44
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041B822 push eax; ret		1_2_0041B828
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041B82B push eax; ret		1_2_0041B892
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041B88C push eax; ret		1_2_0041B892
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0040609C pushfd ; ret		1_2_0040609E
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041C95D push es; ret		1_2_0041C95E
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041617F pushfd ; ret		1_2_00416193
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00415269 push ebx; ret		1_2_0041526B
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_004172F6 push ebx; iretd		1_2_004172FD
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0040E326 pushfd ; retf		1_2_0040E32C
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041BD5A push dword ptr [D80D12CBh]; ret		1_2_0041C81D
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041A5E5 push eax; retf		1_2_0041A5E8
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_00415758 push es; iretd		1_2_0041575A
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041AF62 pushfd ; iretd		1_2_0041AF63
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 1_2_0041B7D5 push eax; ret		1_2_0041B828
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0497D0D1 push ecx; ret		7_2_0497D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085B88C push eax; ret		7_2_0085B892
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0084609C pushfd ; ret		7_2_0084609E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085B822 push eax; ret		7_2_0085B828
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085B82B push eax; ret		7_2_0085B892
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085C95D push es; ret		7_2_0085C95E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085617F pushfd ; ret		7_2_00856193
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_008572F6 push ebx; iretd		7_2_008572FD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_00855269 push ebx; ret		7_2_0085526B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0084E326 pushfd ; retf		7_2_0084E32C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085C4F3 push es; ret		7_2_0085C4F4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085A5E5 push eax; retf		7_2_0085A5E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085B7D5 push eax; ret		7_2_0085B828
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085C7D0 push dword ptr [D80D12CBh]; ret		7_2_0085C81D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0085C739 push cs; iretd		7_2_0085C73A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

File created: C:\Users\user\AppData\Local\Temp\nshDF13.tmp\uajs.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: /c del "C:\Users\user\Desktop\commercial invoice_010202201.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: /c del "C:\Users\user\Desktop\commercial invoice_010202201.exe"			Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000848604 second address: 000000000084860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 000000000084899E second address: 00000000008489A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6632	Thread sleep time: -55000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7108	Thread sleep time: -48000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 1_2_004088D0 rdtsc

1_2_004088D0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\colorcpl.exe

API coverage: 9.6 %

Queries a list of all running processes

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,		0_2_00405D7C
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_004053AA
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_00402630 FindFirstFileA,		0_2_00402630

Program exit points

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	API call chain: ExitProcess graph end node

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000005.00000000.705475865.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.719567550.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.705475865.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.705475865.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}xx
Source: explorer.exe, 00000005.00000000.718287441.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.693537022.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.688480052.0000000004791000.00000004.00000001.sdmp	Binary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
Source: explorer.exe, 00000005.00000000.718334751.0000000004791000.00000004.00000001.sdmp	Binary or memory string: 700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
Source: explorer.exe, 00000005.00000000.693537022.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.705475865.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir,,H

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 1_2_004088D0 rdtsc

1_2_004088D0

Enables debug privileges

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_0019E6DA mov eax, dword ptr fs:[00000030h]		0_2_0019E6DA
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_0019EA1C mov eax, dword ptr fs:[00000030h]		0_2_0019EA1C
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_0019E99F mov eax, dword ptr fs:[00000030h]		0_2_0019E99F
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_0019E9DE mov eax, dword ptr fs:[00000030h]		0_2_0019E9DE
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Code function: 0_2_0019E8EE mov eax, dword ptr fs:[00000030h]		0_2_0019E8EE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493849B mov eax, dword ptr fs:[00000030h]		7_2_0493849B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929080 mov eax, dword ptr fs:[00000030h]		7_2_04929080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A3884 mov eax, dword ptr fs:[00000030h]		7_2_049A3884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A3884 mov eax, dword ptr fs:[00000030h]		7_2_049A3884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495F0BF mov ecx, dword ptr fs:[00000030h]		7_2_0495F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495F0BF mov eax, dword ptr fs:[00000030h]		7_2_0495F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495F0BF mov eax, dword ptr fs:[00000030h]		7_2_0495F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049520A0 mov eax, dword ptr fs:[00000030h]		7_2_049520A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049520A0 mov eax, dword ptr fs:[00000030h]		7_2_049520A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049520A0 mov eax, dword ptr fs:[00000030h]		7_2_049520A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049520A0 mov eax, dword ptr fs:[00000030h]		7_2_049520A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049520A0 mov eax, dword ptr fs:[00000030h]		7_2_049520A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049520A0 mov eax, dword ptr fs:[00000030h]		7_2_049520A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049690AF mov eax, dword ptr fs:[00000030h]		7_2_049690AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F8CD6 mov eax, dword ptr fs:[00000030h]		7_2_049F8CD6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BB8D0 mov eax, dword ptr fs:[00000030h]		7_2_049BB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BB8D0 mov ecx, dword ptr fs:[00000030h]		7_2_049BB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BB8D0 mov eax, dword ptr fs:[00000030h]		7_2_049BB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BB8D0 mov eax, dword ptr fs:[00000030h]		7_2_049BB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BB8D0 mov eax, dword ptr fs:[00000030h]		7_2_049BB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BB8D0 mov eax, dword ptr fs:[00000030h]		7_2_049BB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E14FB mov eax, dword ptr fs:[00000030h]		7_2_049E14FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6CF0 mov eax, dword ptr fs:[00000030h]		7_2_049A6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6CF0 mov eax, dword ptr fs:[00000030h]		7_2_049A6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6CF0 mov eax, dword ptr fs:[00000030h]		7_2_049A6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049258EC mov eax, dword ptr fs:[00000030h]		7_2_049258EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F4015 mov eax, dword ptr fs:[00000030h]		7_2_049F4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F4015 mov eax, dword ptr fs:[00000030h]		7_2_049F4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A7016 mov eax, dword ptr fs:[00000030h]		7_2_049A7016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A7016 mov eax, dword ptr fs:[00000030h]		7_2_049A7016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A7016 mov eax, dword ptr fs:[00000030h]		7_2_049A7016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6C0A mov eax, dword ptr fs:[00000030h]		7_2_049A6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6C0A mov eax, dword ptr fs:[00000030h]		7_2_049A6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6C0A mov eax, dword ptr fs:[00000030h]		7_2_049A6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6C0A mov eax, dword ptr fs:[00000030h]		7_2_049A6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F740D mov eax, dword ptr fs:[00000030h]		7_2_049F740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F740D mov eax, dword ptr fs:[00000030h]		7_2_049F740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F740D mov eax, dword ptr fs:[00000030h]		7_2_049F740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1C06 mov eax, dword ptr fs:[00000030h]		7_2_049E1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495002D mov eax, dword ptr fs:[00000030h]		7_2_0495002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495002D mov eax, dword ptr fs:[00000030h]		7_2_0495002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495002D mov eax, dword ptr fs:[00000030h]		7_2_0495002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495002D mov eax, dword ptr fs:[00000030h]		7_2_0495002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495002D mov eax, dword ptr fs:[00000030h]		7_2_0495002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493B02A mov eax, dword ptr fs:[00000030h]		7_2_0493B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493B02A mov eax, dword ptr fs:[00000030h]		7_2_0493B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493B02A mov eax, dword ptr fs:[00000030h]		7_2_0493B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493B02A mov eax, dword ptr fs:[00000030h]		7_2_0493B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495BC2C mov eax, dword ptr fs:[00000030h]		7_2_0495BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04940050 mov eax, dword ptr fs:[00000030h]		7_2_04940050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04940050 mov eax, dword ptr fs:[00000030h]		7_2_04940050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BC450 mov eax, dword ptr fs:[00000030h]		7_2_049BC450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BC450 mov eax, dword ptr fs:[00000030h]		7_2_049BC450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495A44B mov eax, dword ptr fs:[00000030h]		7_2_0495A44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F1074 mov eax, dword ptr fs:[00000030h]		7_2_049F1074
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E2073 mov eax, dword ptr fs:[00000030h]		7_2_049E2073
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494746D mov eax, dword ptr fs:[00000030h]		7_2_0494746D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952990 mov eax, dword ptr fs:[00000030h]		7_2_04952990
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495FD9B mov eax, dword ptr fs:[00000030h]		7_2_0495FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495FD9B mov eax, dword ptr fs:[00000030h]		7_2_0495FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495A185 mov eax, dword ptr fs:[00000030h]		7_2_0495A185
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952581 mov eax, dword ptr fs:[00000030h]		7_2_04952581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952581 mov eax, dword ptr fs:[00000030h]		7_2_04952581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952581 mov eax, dword ptr fs:[00000030h]		7_2_04952581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952581 mov eax, dword ptr fs:[00000030h]		7_2_04952581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494C182 mov eax, dword ptr fs:[00000030h]		7_2_0494C182
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04922D8A mov eax, dword ptr fs:[00000030h]		7_2_04922D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04922D8A mov eax, dword ptr fs:[00000030h]		7_2_04922D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04922D8A mov eax, dword ptr fs:[00000030h]		7_2_04922D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04922D8A mov eax, dword ptr fs:[00000030h]		7_2_04922D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04922D8A mov eax, dword ptr fs:[00000030h]		7_2_04922D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04951DB5 mov eax, dword ptr fs:[00000030h]		7_2_04951DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04951DB5 mov eax, dword ptr fs:[00000030h]		7_2_04951DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04951DB5 mov eax, dword ptr fs:[00000030h]		7_2_04951DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A51BE mov eax, dword ptr fs:[00000030h]		7_2_049A51BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A51BE mov eax, dword ptr fs:[00000030h]		7_2_049A51BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A51BE mov eax, dword ptr fs:[00000030h]		7_2_049A51BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A51BE mov eax, dword ptr fs:[00000030h]		7_2_049A51BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F05AC mov eax, dword ptr fs:[00000030h]		7_2_049F05AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F05AC mov eax, dword ptr fs:[00000030h]		7_2_049F05AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049535A1 mov eax, dword ptr fs:[00000030h]		7_2_049535A1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049561A0 mov eax, dword ptr fs:[00000030h]		7_2_049561A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049561A0 mov eax, dword ptr fs:[00000030h]		7_2_049561A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A69A6 mov eax, dword ptr fs:[00000030h]		7_2_049A69A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6DC9 mov eax, dword ptr fs:[00000030h]		7_2_049A6DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6DC9 mov eax, dword ptr fs:[00000030h]		7_2_049A6DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6DC9 mov eax, dword ptr fs:[00000030h]		7_2_049A6DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6DC9 mov ecx, dword ptr fs:[00000030h]		7_2_049A6DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6DC9 mov eax, dword ptr fs:[00000030h]		7_2_049A6DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A6DC9 mov eax, dword ptr fs:[00000030h]		7_2_049A6DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049D8DF1 mov eax, dword ptr fs:[00000030h]		7_2_049D8DF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492B1E1 mov eax, dword ptr fs:[00000030h]		7_2_0492B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492B1E1 mov eax, dword ptr fs:[00000030h]		7_2_0492B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492B1E1 mov eax, dword ptr fs:[00000030h]		7_2_0492B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049B41E8 mov eax, dword ptr fs:[00000030h]		7_2_049B41E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493D5E0 mov eax, dword ptr fs:[00000030h]		7_2_0493D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493D5E0 mov eax, dword ptr fs:[00000030h]		7_2_0493D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049EFDE2 mov eax, dword ptr fs:[00000030h]		7_2_049EFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049EFDE2 mov eax, dword ptr fs:[00000030h]		7_2_049EFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049EFDE2 mov eax, dword ptr fs:[00000030h]		7_2_049EFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049EFDE2 mov eax, dword ptr fs:[00000030h]		7_2_049EFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929100 mov eax, dword ptr fs:[00000030h]		7_2_04929100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929100 mov eax, dword ptr fs:[00000030h]		7_2_04929100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929100 mov eax, dword ptr fs:[00000030h]		7_2_04929100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492AD30 mov eax, dword ptr fs:[00000030h]		7_2_0492AD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04933D34 mov eax, dword ptr fs:[00000030h]		7_2_04933D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F8D34 mov eax, dword ptr fs:[00000030h]		7_2_049F8D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049AA537 mov eax, dword ptr fs:[00000030h]		7_2_049AA537
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04954D3B mov eax, dword ptr fs:[00000030h]		7_2_04954D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04954D3B mov eax, dword ptr fs:[00000030h]		7_2_04954D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04954D3B mov eax, dword ptr fs:[00000030h]		7_2_04954D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495513A mov eax, dword ptr fs:[00000030h]		7_2_0495513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495513A mov eax, dword ptr fs:[00000030h]		7_2_0495513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04944120 mov eax, dword ptr fs:[00000030h]		7_2_04944120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04944120 mov eax, dword ptr fs:[00000030h]		7_2_04944120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04944120 mov eax, dword ptr fs:[00000030h]		7_2_04944120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04944120 mov eax, dword ptr fs:[00000030h]		7_2_04944120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04944120 mov ecx, dword ptr fs:[00000030h]		7_2_04944120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04947D50 mov eax, dword ptr fs:[00000030h]		7_2_04947D50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494B944 mov eax, dword ptr fs:[00000030h]		7_2_0494B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494B944 mov eax, dword ptr fs:[00000030h]		7_2_0494B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04963D43 mov eax, dword ptr fs:[00000030h]		7_2_04963D43
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A3540 mov eax, dword ptr fs:[00000030h]		7_2_049A3540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492B171 mov eax, dword ptr fs:[00000030h]		7_2_0492B171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492B171 mov eax, dword ptr fs:[00000030h]		7_2_0492B171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494C577 mov eax, dword ptr fs:[00000030h]		7_2_0494C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494C577 mov eax, dword ptr fs:[00000030h]		7_2_0494C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492C962 mov eax, dword ptr fs:[00000030h]		7_2_0492C962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495D294 mov eax, dword ptr fs:[00000030h]		7_2_0495D294
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495D294 mov eax, dword ptr fs:[00000030h]		7_2_0495D294
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BFE87 mov eax, dword ptr fs:[00000030h]		7_2_049BFE87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493AAB0 mov eax, dword ptr fs:[00000030h]		7_2_0493AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493AAB0 mov eax, dword ptr fs:[00000030h]		7_2_0493AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495FAB0 mov eax, dword ptr fs:[00000030h]		7_2_0495FAB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049252A5 mov eax, dword ptr fs:[00000030h]		7_2_049252A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049252A5 mov eax, dword ptr fs:[00000030h]		7_2_049252A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049252A5 mov eax, dword ptr fs:[00000030h]		7_2_049252A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049252A5 mov eax, dword ptr fs:[00000030h]		7_2_049252A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049252A5 mov eax, dword ptr fs:[00000030h]		7_2_049252A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F0EA5 mov eax, dword ptr fs:[00000030h]		7_2_049F0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F0EA5 mov eax, dword ptr fs:[00000030h]		7_2_049F0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F0EA5 mov eax, dword ptr fs:[00000030h]		7_2_049F0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A46A7 mov eax, dword ptr fs:[00000030h]		7_2_049A46A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F8ED6 mov eax, dword ptr fs:[00000030h]		7_2_049F8ED6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04968EC7 mov eax, dword ptr fs:[00000030h]		7_2_04968EC7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049536CC mov eax, dword ptr fs:[00000030h]		7_2_049536CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049DFEC0 mov eax, dword ptr fs:[00000030h]		7_2_049DFEC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952ACB mov eax, dword ptr fs:[00000030h]		7_2_04952ACB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049376E2 mov eax, dword ptr fs:[00000030h]		7_2_049376E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952AE4 mov eax, dword ptr fs:[00000030h]		7_2_04952AE4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049516E0 mov ecx, dword ptr fs:[00000030h]		7_2_049516E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04925210 mov eax, dword ptr fs:[00000030h]		7_2_04925210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04925210 mov ecx, dword ptr fs:[00000030h]		7_2_04925210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04925210 mov eax, dword ptr fs:[00000030h]		7_2_04925210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04925210 mov eax, dword ptr fs:[00000030h]		7_2_04925210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492AA16 mov eax, dword ptr fs:[00000030h]		7_2_0492AA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492AA16 mov eax, dword ptr fs:[00000030h]		7_2_0492AA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04943A1C mov eax, dword ptr fs:[00000030h]		7_2_04943A1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495A61C mov eax, dword ptr fs:[00000030h]		7_2_0495A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495A61C mov eax, dword ptr fs:[00000030h]		7_2_0495A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492C600 mov eax, dword ptr fs:[00000030h]		7_2_0492C600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492C600 mov eax, dword ptr fs:[00000030h]		7_2_0492C600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492C600 mov eax, dword ptr fs:[00000030h]		7_2_0492C600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04958E00 mov eax, dword ptr fs:[00000030h]		7_2_04958E00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E1608 mov eax, dword ptr fs:[00000030h]		7_2_049E1608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04938A0A mov eax, dword ptr fs:[00000030h]		7_2_04938A0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049DFE3F mov eax, dword ptr fs:[00000030h]		7_2_049DFE3F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492E620 mov eax, dword ptr fs:[00000030h]		7_2_0492E620
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04964A2C mov eax, dword ptr fs:[00000030h]		7_2_04964A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04964A2C mov eax, dword ptr fs:[00000030h]		7_2_04964A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049EEA55 mov eax, dword ptr fs:[00000030h]		7_2_049EEA55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049B4257 mov eax, dword ptr fs:[00000030h]		7_2_049B4257
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929240 mov eax, dword ptr fs:[00000030h]		7_2_04929240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929240 mov eax, dword ptr fs:[00000030h]		7_2_04929240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929240 mov eax, dword ptr fs:[00000030h]		7_2_04929240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04929240 mov eax, dword ptr fs:[00000030h]		7_2_04929240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04937E41 mov eax, dword ptr fs:[00000030h]		7_2_04937E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04937E41 mov eax, dword ptr fs:[00000030h]		7_2_04937E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04937E41 mov eax, dword ptr fs:[00000030h]		7_2_04937E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04937E41 mov eax, dword ptr fs:[00000030h]		7_2_04937E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04937E41 mov eax, dword ptr fs:[00000030h]		7_2_04937E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04937E41 mov eax, dword ptr fs:[00000030h]		7_2_04937E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494AE73 mov eax, dword ptr fs:[00000030h]		7_2_0494AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494AE73 mov eax, dword ptr fs:[00000030h]		7_2_0494AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494AE73 mov eax, dword ptr fs:[00000030h]		7_2_0494AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494AE73 mov eax, dword ptr fs:[00000030h]		7_2_0494AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494AE73 mov eax, dword ptr fs:[00000030h]		7_2_0494AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0496927A mov eax, dword ptr fs:[00000030h]		7_2_0496927A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049DB260 mov eax, dword ptr fs:[00000030h]		7_2_049DB260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049DB260 mov eax, dword ptr fs:[00000030h]		7_2_049DB260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F8A62 mov eax, dword ptr fs:[00000030h]		7_2_049F8A62
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493766D mov eax, dword ptr fs:[00000030h]		7_2_0493766D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04952397 mov eax, dword ptr fs:[00000030h]		7_2_04952397
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495B390 mov eax, dword ptr fs:[00000030h]		7_2_0495B390
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04938794 mov eax, dword ptr fs:[00000030h]		7_2_04938794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A7794 mov eax, dword ptr fs:[00000030h]		7_2_049A7794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A7794 mov eax, dword ptr fs:[00000030h]		7_2_049A7794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A7794 mov eax, dword ptr fs:[00000030h]		7_2_049A7794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E138A mov eax, dword ptr fs:[00000030h]		7_2_049E138A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04931B8F mov eax, dword ptr fs:[00000030h]		7_2_04931B8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04931B8F mov eax, dword ptr fs:[00000030h]		7_2_04931B8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049DD380 mov ecx, dword ptr fs:[00000030h]		7_2_049DD380
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04954BAD mov eax, dword ptr fs:[00000030h]		7_2_04954BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04954BAD mov eax, dword ptr fs:[00000030h]		7_2_04954BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04954BAD mov eax, dword ptr fs:[00000030h]		7_2_04954BAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F5BA5 mov eax, dword ptr fs:[00000030h]		7_2_049F5BA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A53CA mov eax, dword ptr fs:[00000030h]		7_2_049A53CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049A53CA mov eax, dword ptr fs:[00000030h]		7_2_049A53CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049637F5 mov eax, dword ptr fs:[00000030h]		7_2_049637F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049503E2 mov eax, dword ptr fs:[00000030h]		7_2_049503E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049503E2 mov eax, dword ptr fs:[00000030h]		7_2_049503E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049503E2 mov eax, dword ptr fs:[00000030h]		7_2_049503E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049503E2 mov eax, dword ptr fs:[00000030h]		7_2_049503E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049503E2 mov eax, dword ptr fs:[00000030h]		7_2_049503E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049503E2 mov eax, dword ptr fs:[00000030h]		7_2_049503E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494DBE9 mov eax, dword ptr fs:[00000030h]		7_2_0494DBE9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0494F716 mov eax, dword ptr fs:[00000030h]		7_2_0494F716
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049E131B mov eax, dword ptr fs:[00000030h]		7_2_049E131B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BFF10 mov eax, dword ptr fs:[00000030h]		7_2_049BFF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049BFF10 mov eax, dword ptr fs:[00000030h]		7_2_049BFF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F070D mov eax, dword ptr fs:[00000030h]		7_2_049F070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F070D mov eax, dword ptr fs:[00000030h]		7_2_049F070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495A70E mov eax, dword ptr fs:[00000030h]		7_2_0495A70E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495A70E mov eax, dword ptr fs:[00000030h]		7_2_0495A70E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0495E730 mov eax, dword ptr fs:[00000030h]		7_2_0495E730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04924F2E mov eax, dword ptr fs:[00000030h]		7_2_04924F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04924F2E mov eax, dword ptr fs:[00000030h]		7_2_04924F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F8B58 mov eax, dword ptr fs:[00000030h]		7_2_049F8B58
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492F358 mov eax, dword ptr fs:[00000030h]		7_2_0492F358
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492DB40 mov eax, dword ptr fs:[00000030h]		7_2_0492DB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493EF40 mov eax, dword ptr fs:[00000030h]		7_2_0493EF40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04953B7A mov eax, dword ptr fs:[00000030h]		7_2_04953B7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04953B7A mov eax, dword ptr fs:[00000030h]		7_2_04953B7A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0492DB60 mov ecx, dword ptr fs:[00000030h]		7_2_0492DB60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0493FF60 mov eax, dword ptr fs:[00000030h]		7_2_0493FF60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_049F8F6A mov eax, dword ptr fs:[00000030h]		7_2_049F8F6A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 1_2_00409B40 LdrLoadDll,

1_2_00409B40

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.sfcshavedice.com
Source: C:\Windows\explorer.exe	Domain query: www.survival-hunter.com
Source: C:\Windows\explorer.exe	Domain query: www.ludowinners.online
Source: C:\Windows\explorer.exe	Domain query: www.moldluck.com
Source: C:\Windows\explorer.exe	Network Connect: 118.67.131.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.200 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 109.106.254.15 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.answertitles.com
Source: C:\Windows\explorer.exe	Domain query: www.stardomfrokch.xyz
Source: C:\Windows\explorer.exe	Domain query: www.toposales.com
Source: C:\Windows\explorer.exe	Domain query: www.friendschance.com
Source: C:\Windows\explorer.exe	Domain query: www.cloudtotaal.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.211 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.rxvendorpills.online
Source: C:\Windows\explorer.exe	Domain query: www.controle-fiscal.com
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 89.17.204.228 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 1330000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Memory written: C:\Users\user\Desktop\commercial invoice_010202201.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3424			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe	Process created: C:\Users\user\Desktop\commercial invoice_010202201.exe "C:\Users\user\Desktop\commercial invoice_010202201.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\commercial invoice_010202201.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000005.00000000.687053553.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.700237184.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.715764560.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.700556991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.687374189.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.716003606.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 00000007.00000002.943890329.0000000003350000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.700556991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.690157575.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.687374189.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.716003606.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 00000007.00000002.943890329.0000000003350000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.700556991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.687374189.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.716003606.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 00000007.00000002.943890329.0000000003350000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.700556991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.687374189.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.716003606.0000000001080000.00000002.00020000.sdmp, colorcpl.exe, 00000007.00000002.943890329.0000000003350000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.722493290.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.705576188.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.693537022.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\user\Desktop\commercial invoice_010202201.exe

Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405AA7

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.commercial invoice_010202201.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.commercial invoice_010202201.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.commercial invoice_010202201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.724210949.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943178813.0000000000840000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943350067.0000000000DF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734155296.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.683264295.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.943426858.0000000001150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708365892.000000000EA3D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734132001.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.684515083.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.684056939.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.681309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.734016685.0000000000400000.00000040.00000001.sdmp, type: MEMORY