Windows Analysis Report
2998MOD PO.exe

Overview

General Information

Sample name:	2998MOD PO.exe
Analysis ID:	1542414
MD5:	eba2ade6a60568538d8b918f65fa2f44
SHA1:	fbb6cb7c1c403502560bfe74340b06f31775a7eb
SHA256:	7b70d479034f458a6b695cc3c8aefd50c771ec183b749276aa66d18a6a33466c
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Creation with Colorcpl

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 2998MOD PO.exe

ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 4.2.2998MOD PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2998MOD PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3560962985.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2042765684.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2998MOD PO.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 2998MOD PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2998MOD PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560731508.00000000014D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560731508.00000000014D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sePlrCtAXqpc.exe, 00000007.00000002.3560434817.0000000000DBE000.00000002.00000001.01000000.0000000C.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562689546.0000000000DBE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2043927456.0000000004AD7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2041561877.0000000004929000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2998MOD PO.exe, 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001950000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000008.00000003.2043927456.0000000004AD7000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000003.2041561877.0000000004929000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.2288885160.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SWBp.pdb source: 2998MOD PO.exe
Source:	Binary string: SWBp.pdbSHA256Y source: 2998MOD PO.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 4x nop then mov ebx, 00000004h

8_2_04B404E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 3.33.130.190:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /up8i/?Ax=9lO0gd2hrt6dKrz&1b80hL3=FonQAt5G6G0h5a/xcW34pfv7cxcrms3RfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQdsR1nmqFV7MzuwwVkSFycHqtReIUzDRqobl4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ladylawher.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2

Source: global traffic

DNS traffic detected: DNS query: www.ladylawher.org

Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 2998MOD PO.exe, 00000000.00000002.1873899778.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033/
Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: colorcpl.exe, 00000008.00000003.2221615291.0000000007FD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: colorcpl.exe, 00000008.00000003.2230772392.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.2998MOD PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2998MOD PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2288704216.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2041194663.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2040454369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2288668245.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3564602723.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3560962985.0000000002F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2042765684.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to call native functions

Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0042C433 NtClose,	4_2_0042C433
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0040A9E3 NtResumeThread,	4_2_0040A9E3
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2B60 NtClose,LdrInitializeThunk,	4_2_019C2B60
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_019C2DF0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_019C2C70
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C35C0 NtCreateMutant,LdrInitializeThunk,	4_2_019C35C0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C4340 NtSetContextThread,	4_2_019C4340
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C4650 NtSuspendThread,	4_2_019C4650
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2B80 NtQueryInformationFile,	4_2_019C2B80
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2BA0 NtEnumerateValueKey,	4_2_019C2BA0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2BF0 NtAllocateVirtualMemory,	4_2_019C2BF0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2BE0 NtQueryValueKey,	4_2_019C2BE0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2AB0 NtWaitForSingleObject,	4_2_019C2AB0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2AD0 NtReadFile,	4_2_019C2AD0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2AF0 NtWriteFile,	4_2_019C2AF0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2DB0 NtEnumerateKey,	4_2_019C2DB0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2DD0 NtDelayExecution,	4_2_019C2DD0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2D10 NtMapViewOfSection,	4_2_019C2D10
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2D00 NtSetInformationFile,	4_2_019C2D00
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2D30 NtUnmapViewOfSection,	4_2_019C2D30
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2CA0 NtQueryInformationToken,	4_2_019C2CA0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2CC0 NtQueryVirtualMemory,	4_2_019C2CC0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2CF0 NtOpenProcess,	4_2_019C2CF0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2C00 NtQueryInformationProcess,	4_2_019C2C00
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2C60 NtCreateKey,	4_2_019C2C60
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2F90 NtProtectVirtualMemory,	4_2_019C2F90
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2FB0 NtResumeThread,	4_2_019C2FB0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2FA0 NtQuerySection,	4_2_019C2FA0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2FE0 NtCreateFile,	4_2_019C2FE0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2F30 NtCreateSection,	4_2_019C2F30
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2F60 NtCreateProcessEx,	4_2_019C2F60
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2E80 NtReadVirtualMemory,	4_2_019C2E80
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2EA0 NtAdjustPrivilegesToken,	4_2_019C2EA0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2EE0 NtQueueApcThread,	4_2_019C2EE0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C2E30 NtWriteVirtualMemory,	4_2_019C2E30
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C3090 NtSetValueKey,	4_2_019C3090
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C3010 NtOpenDirectoryObject,	4_2_019C3010
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C39B0 NtGetContextThread,	4_2_019C39B0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C3D10 NtOpenProcessToken,	4_2_019C3D10
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C3D70 NtOpenThread,	4_2_019C3D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF4650 NtSuspendThread,LdrInitializeThunk,	8_2_04CF4650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF4340 NtSetContextThread,LdrInitializeThunk,	8_2_04CF4340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_04CF2CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2C60 NtCreateKey,LdrInitializeThunk,	8_2_04CF2C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_04CF2C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_04CF2DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_04CF2DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_04CF2D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_04CF2D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2EE0 NtQueueApcThread,LdrInitializeThunk,	8_2_04CF2EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_04CF2E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2FE0 NtCreateFile,LdrInitializeThunk,	8_2_04CF2FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2FB0 NtResumeThread,LdrInitializeThunk,	8_2_04CF2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2F30 NtCreateSection,LdrInitializeThunk,	8_2_04CF2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2AD0 NtReadFile,LdrInitializeThunk,	8_2_04CF2AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2AF0 NtWriteFile,LdrInitializeThunk,	8_2_04CF2AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_04CF2BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_04CF2BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2BA0 NtEnumerateValueKey,LdrInitializeThunk,	8_2_04CF2BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2B60 NtClose,LdrInitializeThunk,	8_2_04CF2B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF35C0 NtCreateMutant,LdrInitializeThunk,	8_2_04CF35C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF39B0 NtGetContextThread,LdrInitializeThunk,	8_2_04CF39B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2CC0 NtQueryVirtualMemory,	8_2_04CF2CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2CF0 NtOpenProcess,	8_2_04CF2CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2C00 NtQueryInformationProcess,	8_2_04CF2C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2DB0 NtEnumerateKey,	8_2_04CF2DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2D00 NtSetInformationFile,	8_2_04CF2D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2EA0 NtAdjustPrivilegesToken,	8_2_04CF2EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2E30 NtWriteVirtualMemory,	8_2_04CF2E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2F90 NtProtectVirtualMemory,	8_2_04CF2F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2FA0 NtQuerySection,	8_2_04CF2FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2F60 NtCreateProcessEx,	8_2_04CF2F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2AB0 NtWaitForSingleObject,	8_2_04CF2AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF2B80 NtQueryInformationFile,	8_2_04CF2B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF3090 NtSetValueKey,	8_2_04CF3090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF3010 NtOpenDirectoryObject,	8_2_04CF3010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF3D70 NtOpenThread,	8_2_04CF3D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF3D10 NtOpenProcessToken,	8_2_04CF3D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4EF7E NtQueryInformationProcess,NtReadVirtualMemory,	8_2_04B4EF7E

Detected potential crypto function

Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_0117D5FC	0_2_0117D5FC
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05640F28	0_2_05640F28
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_056437E1	0_2_056437E1
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_056437F0	0_2_056437F0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05641788	0_2_05641788
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05641798	0_2_05641798
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05642E40	0_2_05642E40
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05642E30	0_2_05642E30
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05641360	0_2_05641360
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05641350	0_2_05641350
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_004183D3	4_2_004183D3
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00401110	4_2_00401110
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0040E13B	4_2_0040E13B
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0042EAD3	4_2_0042EAD3
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00402370	4_2_00402370
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0040FCC3	4_2_0040FCC3
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00416613	4_2_00416613
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0040FEE3	4_2_0040FEE3
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0040DF63	4_2_0040DF63
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00402710	4_2_00402710
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00402FD0	4_2_00402FD0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A441A2	4_2_01A441A2
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A501AA	4_2_01A501AA
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A481CC	4_2_01A481CC
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01980100	4_2_01980100
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A2A118	4_2_01A2A118
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A18158	4_2_01A18158
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A22000	4_2_01A22000
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A503E6	4_2_01A503E6
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0199E3F0	4_2_0199E3F0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4A352	4_2_01A4A352
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A102C0	4_2_01A102C0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A30274	4_2_01A30274
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A50591	4_2_01A50591
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01990535	4_2_01990535
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A3E4F6	4_2_01A3E4F6
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A34420	4_2_01A34420
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A42446	4_2_01A42446
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0198C7C0	4_2_0198C7C0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019B4750	4_2_019B4750
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01990770	4_2_01990770
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019AC6E0	4_2_019AC6E0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A5A9A6	4_2_01A5A9A6
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019929A0	4_2_019929A0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019A6962	4_2_019A6962
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019768B8	4_2_019768B8
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019BE8F0	4_2_019BE8F0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0199A840	4_2_0199A840
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01992840	4_2_01992840
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A46BD7	4_2_01A46BD7
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4AB40	4_2_01A4AB40
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0198EA80	4_2_0198EA80
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019A8DBF	4_2_019A8DBF
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0198ADE0	4_2_0198ADE0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0199AD00	4_2_0199AD00
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A2CD1F	4_2_01A2CD1F
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A30CB5	4_2_01A30CB5
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01980CF2	4_2_01980CF2
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01990C00	4_2_01990C00
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A0EFA0	4_2_01A0EFA0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01982FC8	4_2_01982FC8
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A32F30	4_2_01A32F30
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019B0F30	4_2_019B0F30
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019D2F28	4_2_019D2F28
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A04F40	4_2_01A04F40
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019A2E90	4_2_019A2E90
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4CE93	4_2_01A4CE93
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4EEDB	4_2_01A4EEDB
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4EE26	4_2_01A4EE26
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01990E59	4_2_01990E59
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0199B1B0	4_2_0199B1B0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A5B16B	4_2_01A5B16B
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0197F172	4_2_0197F172
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019C516C	4_2_019C516C
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4F0E0	4_2_01A4F0E0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A470E9	4_2_01A470E9
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019970C0	4_2_019970C0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A3F0CC	4_2_01A3F0CC
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019D739A	4_2_019D739A
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4132D	4_2_01A4132D
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0197D34C	4_2_0197D34C
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019952A0	4_2_019952A0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A312ED	4_2_01A312ED
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019AB2C0	4_2_019AB2C0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019AD2F0	4_2_019AD2F0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A2D5B0	4_2_01A2D5B0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A47571	4_2_01A47571
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4F43F	4_2_01A4F43F
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01981460	4_2_01981460
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4F7B0	4_2_01A4F7B0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A416CC	4_2_01A416CC
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019D5630	4_2_019D5630
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A25910	4_2_01A25910
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01999950	4_2_01999950
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019AB950	4_2_019AB950
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019938E0	4_2_019938E0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019FD800	4_2_019FD800
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019AFB80	4_2_019AFB80
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A05BF0	4_2_01A05BF0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019CDBF9	4_2_019CDBF9
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4FB76	4_2_01A4FB76
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A31AA3	4_2_01A31AA3
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A2DAAC	4_2_01A2DAAC
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019D5AA0	4_2_019D5AA0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A3DAC6	4_2_01A3DAC6
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A03A6C	4_2_01A03A6C
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A47A46	4_2_01A47A46
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4FA49	4_2_01A4FA49
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019AFDC0	4_2_019AFDC0
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A47D73	4_2_01A47D73
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01993D40	4_2_01993D40
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A41D5A	4_2_01A41D5A
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4FCF2	4_2_01A4FCF2
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A09C32	4_2_01A09C32
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01991F92	4_2_01991F92
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4FFB1	4_2_01A4FFB1
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01A4FF09	4_2_01A4FF09
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_01999EB0	4_2_01999EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D6E4F6	8_2_04D6E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D72446	8_2_04D72446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D64420	8_2_04D64420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D80591	8_2_04D80591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC0535	8_2_04CC0535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CDC6E0	8_2_04CDC6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CBC7C0	8_2_04CBC7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CE4750	8_2_04CE4750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC0770	8_2_04CC0770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D52000	8_2_04D52000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D781CC	8_2_04D781CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D801AA	8_2_04D801AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D741A2	8_2_04D741A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D48158	8_2_04D48158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CB0100	8_2_04CB0100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D5A118	8_2_04D5A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D402C0	8_2_04D402C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D60274	8_2_04D60274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CCE3F0	8_2_04CCE3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D803E6	8_2_04D803E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7A352	8_2_04D7A352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CB0CF2	8_2_04CB0CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D60CB5	8_2_04D60CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC0C00	8_2_04CC0C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CBADE0	8_2_04CBADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CD8DBF	8_2_04CD8DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D5CD1F	8_2_04D5CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CCAD00	8_2_04CCAD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7EEDB	8_2_04D7EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7CE93	8_2_04D7CE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CD2E90	8_2_04CD2E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC0E59	8_2_04CC0E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7EE26	8_2_04D7EE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CB2FC8	8_2_04CB2FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D3EFA0	8_2_04D3EFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D34F40	8_2_04D34F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D62F30	8_2_04D62F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D02F28	8_2_04D02F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CE0F30	8_2_04CE0F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CEE8F0	8_2_04CEE8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CA68B8	8_2_04CA68B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CCA840	8_2_04CCA840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC2840	8_2_04CC2840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC29A0	8_2_04CC29A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D8A9A6	8_2_04D8A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CD6962	8_2_04CD6962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CBEA80	8_2_04CBEA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D76BD7	8_2_04D76BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7AB40	8_2_04D7AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CB1460	8_2_04CB1460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7F43F	8_2_04D7F43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D895C3	8_2_04D895C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D5D5B0	8_2_04D5D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D77571	8_2_04D77571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D716CC	8_2_04D716CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D05630	8_2_04D05630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7F7B0	8_2_04D7F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC70C0	8_2_04CC70C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D6F0CC	8_2_04D6F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7F0E0	8_2_04D7F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D770E9	8_2_04D770E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CCB1B0	8_2_04CCB1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CF516C	8_2_04CF516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D8B16B	8_2_04D8B16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CAF172	8_2_04CAF172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CDB2C0	8_2_04CDB2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D612ED	8_2_04D612ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CDD2F0	8_2_04CDD2F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC52A0	8_2_04CC52A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D0739A	8_2_04D0739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CAD34C	8_2_04CAD34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7132D	8_2_04D7132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7FCF2	8_2_04D7FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D39C32	8_2_04D39C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CDFDC0	8_2_04CDFDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC3D40	8_2_04CC3D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D71D5A	8_2_04D71D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D77D73	8_2_04D77D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC9EB0	8_2_04CC9EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04C83FD2	8_2_04C83FD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04C83FD5	8_2_04C83FD5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC1F92	8_2_04CC1F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7FFB1	8_2_04D7FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7FF09	8_2_04D7FF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC38E0	8_2_04CC38E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D2D800	8_2_04D2D800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CC9950	8_2_04CC9950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CDB950	8_2_04CDB950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D55910	8_2_04D55910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D6DAC6	8_2_04D6DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D05AA0	8_2_04D05AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D61AA3	8_2_04D61AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D5DAAC	8_2_04D5DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D77A46	8_2_04D77A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7FA49	8_2_04D7FA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D33A6C	8_2_04D33A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D35BF0	8_2_04D35BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CFDBF9	8_2_04CFDBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CDFB80	8_2_04CDFB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04D7FB76	8_2_04D7FB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4EF7E	8_2_04B4EF7E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4E75C	8_2_04B4E75C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4E2A4	8_2_04B4E2A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4E3C6	8_2_04B4E3C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4D828	8_2_04B4D828

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: String function: 0197B970 appears 262 times
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: String function: 019FEA12 appears 86 times
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: String function: 019C5130 appears 58 times
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: String function: 01A0F290 appears 103 times
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: String function: 019D7E54 appears 99 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04CF5130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04CAB970 appears 262 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04D07E54 appears 107 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04D3F290 appears 103 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04D2EA12 appears 86 times

Sample file is different than original file name gathered from version info

Source: 2998MOD PO.exe, 00000000.00000002.1876830848.000000000B5A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 2998MOD PO.exe
Source: 2998MOD PO.exe, 00000000.00000000.1704754563.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSWBp.exeF vs 2998MOD PO.exe
Source: 2998MOD PO.exe, 00000000.00000002.1861503868.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2998MOD PO.exe
Source: 2998MOD PO.exe, 00000004.00000002.2041370277.0000000001A7D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2998MOD PO.exe
Source: 2998MOD PO.exe, 00000004.00000002.2040956683.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs 2998MOD PO.exe
Source: 2998MOD PO.exe	Binary or memory string: OriginalFilenameSWBp.exeF vs 2998MOD PO.exe

Uses 32bit PE files

Source: 2998MOD PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2998MOD PO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, GuVZeiWWGgyIsVPOZB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, GuVZeiWWGgyIsVPOZB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, GuVZeiWWGgyIsVPOZB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@1/1

Source: C:\Users\user\Desktop\2998MOD PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2998MOD PO.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process created: C:\Users\user\Desktop\2998MOD PO.exe "C:\Users\user\Desktop\2998MOD PO.exe"	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.cs	.Net Code: TnpYr8bfmj System.Reflection.Assembly.Load(byte[])
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.cs	.Net Code: TnpYr8bfmj System.Reflection.Assembly.Load(byte[])
Source: 0.2.2998MOD PO.exe.5400000.2.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.cs	.Net Code: TnpYr8bfmj System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 0_2_05648B25 push FFFFFF8Bh; iretd	0_2_05648B27
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00406155 push ss; retf	4_2_00406160
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00403270 push eax; ret	4_2_00403272
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0040227F pushad ; retf	4_2_00402280
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_0040BB30 push eax; ret	4_2_0040BB31
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00404DCD push ebx; iretd	4_2_00404DD8
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_004066BD push edx; iretd	4_2_004066BF
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00413F7E pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_00413FC5 pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\2998MOD PO.exe	Code function: 4_2_019809AD push ecx; mov dword ptr [esp], ecx	4_2_019809B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04C827FA pushad ; ret	8_2_04C827F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04C8225F pushad ; ret	8_2_04C827F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04C8283D push eax; iretd	8_2_04C82858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04CB09AD push ecx; mov dword ptr [esp], ecx	8_2_04CB09B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04C8106B push edi; retf	8_2_04C8108A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04C87AAB push ecx; iretd	8_2_04C87ABE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4C447 push cs; ret	8_2_04B4C44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4019B pushfd ; iretd	8_2_04B4019C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B55202 push eax; ret	8_2_04B55204
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B43D46 pushad ; ret	8_2_04B43D47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4CF48 push ebx; iretd	8_2_04B4CF49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B4BBF5 push ecx; ret	8_2_04B4BBF6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 8_2_04B44B06 push edi; iretd	8_2_04B44B07

Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, Yx0GApFkpsOyylP5i8.cs	High entropy of concatenated method names: 'sA2R4ibK34', 'tv1RdkLVgM', 'UXFZDEmtjX', 'URKZ9A06Jg', 'aTiZBUJliv', 'BrRZIM0HI6', 'ejrZb5ZtQ6', 'TWYZO2LRhh', 'EDUZENVdrs', 'l2DZl7rByE'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, BD0tkRyW0NvFS0Kras.cs	High entropy of concatenated method names: 'Ldk3TZ8LQs', 'Dkv3CBQhnb', 'DyfQG8jBBo', 'PJmQAD6PDC', 't5n3LrI8fd', 'BZx3kIeIjZ', 'g0p3gxV9LY', 'pos3JUwNWA', 'lOf3MhhA8g', 'n863cqGgXV'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, hxQAyEPkVUnir0mqK7.cs	High entropy of concatenated method names: 'vcsqj7bqfr', 'uivqv0brPO', 'EwBqH4B36e', 'mjVqZOHhgv', 'qfjqRfwDJk', 'e1Bqxm6JNa', 'nMXqssQLgD', 'nFlqPxrWg1', 'MjlqpYj8Tn', 'CHGqol9Spy'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, f6ijMJHORTQRhNugqL.cs	High entropy of concatenated method names: 'Dispose', 'g9WAKlRnb6', 'XhqVUeR2BV', 'U9vGGhuAMq', 'PPyACj87Kr', 'FScAzneM7v', 'ProcessDialogKey', 'C6GVGjX7Sv', 'jtbVAl4V0t', 'XAeVVB8YJ6'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, WLiWCAcvwIfxDKCaWi.cs	High entropy of concatenated method names: 'ToString', 'igQuLDVyDD', 'kdruUNml9f', 'xjauDtEpHq', 'EgLu93fV1P', 'GCluBUKZmZ', 'oQWuIq4dmV', 'QUhubWyBrw', 'FYWuOUYrsX', 'E4wuEOltyO'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, kyj87KTr7ScneM7v26.cs	High entropy of concatenated method names: 'plCQvxEf01', 'XGaQHXS2hu', 'hm3QZypwaZ', 'aAWQRpvqbc', 'eCoQxjdrmi', 'k7aQsJqiI1', 'a03QPSwyiq', 'bKfQpHlGwW', 'NlwQoeeV4Q', 'dkPQtIBUFL'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, e7iHOazfdRADLFCyRX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CbFmeSxOJx', 'wdrm18NP2O', 'WNdmuOfnFQ', 'cs1m38lhVU', 'ceUmQxMkAV', 'PQcmmfOJD5', 'g4emaKE7yJ'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, WMgNXPg2RPSOrhK9eh.cs	High entropy of concatenated method names: 'TjKeW6uuhl', 'JXaeNak938', 'DUfe79wOjP', 'JZBeUGwj6a', 'B8ue90HnLg', 'mOSeBFsg97', 'jdKeb4XNuj', 'fLjeOOlJUe', 'zD1elAbgA7', 'SlBeLQwPAF'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, TWS96jZxAX3EN502gS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NCLVKjoOGe', 'J3aVC65g2J', 'nKvVzcmJkP', 'UdRqGQQncQ', 'ayMqAQjPUp', 'YyuqVjS1j2', 'lq7qqnsDgr', 'AnP8IBzLo4heWACJmJ'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, yoC8k9AGeE8sgPPbwXA.cs	High entropy of concatenated method names: 'QDlmS25Jsq', 'JYumnoZws9', 'poYmr8lGNv', 'IRUm0MaH8k', 'pvUm4ThjHS', 'IMhm2R26Kr', 'NwxmdRDWpi', 'PvWmWnCle1', 'mmhmN6vLPA', 'XtmmF9qsUT'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, WnrTXVbngDZ3l5EyUi.cs	High entropy of concatenated method names: 'C6qsvkEMuJ', 'sU8sZI8ecH', 'vk6sxtLQGc', 'a9QxCfCQsl', 'fyhxzvp9QX', 'TCPsG20i6S', 'BYFsAYwXGd', 'NgnsVYGuNv', 'qbdsqKWHQJ', 'oT5sY5xSq0'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, GuVZeiWWGgyIsVPOZB.cs	High entropy of concatenated method names: 'hF7HJBiPwH', 'j1YHMI118Y', 'ce1Hc5DkQT', 'E0WH8cGuox', 'V0eHhT1jbp', 'weGHyuOcHq', 'qAaH5aie6X', 'x1wHT8S8cr', 'tXoHKdV8qc', 'XUnHCkddwl'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, J8YJ6nCparoCklRBhk.cs	High entropy of concatenated method names: 'OdemAsdVH6', 'dekmq8MPrV', 'bsEmYZtRU9', 'TqKmvaDUWB', 'aoRmHfCoyo', 'tGZmRf2hbN', 'KhymxNdQfB', 'fsyQ55L4Yg', 'FRSQTxesBd', 'QrwQKl5Wh6'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, e6csmyNd1AuCqsOHuU.cs	High entropy of concatenated method names: 'Re7Z0N6w07', 'UClZ2UkCZs', 'tOIZW0hHJL', 'hGAZNw4gA5', 'RUQZ1vdC3o', 'lLoZuloGso', 'DllZ3mHlmy', 'nWaZQemowf', 'dPVZmZW54H', 'JywZa10SRi'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, R92djQEdSh5jkUnu7Y.cs	High entropy of concatenated method names: 'RFgsSkmWxD', 'hyYsnyxpcB', 'qassrl3ws5', 'wv0s047Uua', 'vTQs4muanQ', 'tXTs2Ngl5D', 'Q5psd8PDBQ', 'e2HsWqv4Km', 'BdQsNFIthg', 'sDXsFP8oZ4'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, ajX7SvKstbl4V0tKAe.cs	High entropy of concatenated method names: 'rLcQ7qDm4V', 'MS1QUtK6OX', 'raVQDPtmsg', 'Oc7Q9yZraa', 'pSaQJmcfJD', 'g4kQBFGvtw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, dBKwEy8HgOOo4pITZv.cs	High entropy of concatenated method names: 'Mw23oEYFvY', 'B053t70mF7', 'ToString', 'OD43vQRfgJ', 'Avv3HRtxVQ', 'p9d3ZkxhMN', 'V2s3RMS0bh', 'aef3xgUBxo', 'lYS3s06pnc', 'HXY3Pk76dN'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, kQ6WtiAqcS5W9tw0Oxs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7DaJuaw7A', 'tgIaMIOEAV', 'rt9acop79a', 'iUMa8VqfaN', 'N0nahGgG28', 'rh4ayENCgB', 'Udxa5rcUTJ'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, tFIMTA79oCEVXEbenh.cs	High entropy of concatenated method names: 'XUTxjK4Woj', 'VVQxHQvYJj', 'WgaxRYJcfy', 'FJbxs3fpwa', 'BwCxPkC0U5', 'Jy2RhO9jMZ', 'ATERypmftS', 'i2cR5upHoM', 'acqRTWjaiw', 'PwPRKJQw9W'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, xdVRuwVnxyYCMZQs8n.cs	High entropy of concatenated method names: 'O5krvD0OT', 'eQO0C377x', 'H1Y25QDcO', 'L3QdwFmTE', 'NZrNynmGt', 'YxOFxuSMM', 'jOOjjlZu3PLatRliU8', 'V58a8IE0CyRCCoJ09h', 'KOdQtuFon', 'K4gamTItu'
Source: 0.2.2998MOD PO.exe.b5a0000.3.raw.unpack, xKPA6QYeUQDw6KZEyv.cs	High entropy of concatenated method names: 'YIUAsuVZei', 'DGgAPyIsVP', 'Vd1AoAuCqs', 'MHuAtUCx0G', 'NP5A1i8fFI', 'RTAAu9oCEV', 'n6gmfh5pChGwbgX4pJ', 'jNpIZ2vXCOO8H7Z3o3', 'A1XAA6Ty1v', 'euMAqjvVIi'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, Yx0GApFkpsOyylP5i8.cs	High entropy of concatenated method names: 'sA2R4ibK34', 'tv1RdkLVgM', 'UXFZDEmtjX', 'URKZ9A06Jg', 'aTiZBUJliv', 'BrRZIM0HI6', 'ejrZb5ZtQ6', 'TWYZO2LRhh', 'EDUZENVdrs', 'l2DZl7rByE'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, BD0tkRyW0NvFS0Kras.cs	High entropy of concatenated method names: 'Ldk3TZ8LQs', 'Dkv3CBQhnb', 'DyfQG8jBBo', 'PJmQAD6PDC', 't5n3LrI8fd', 'BZx3kIeIjZ', 'g0p3gxV9LY', 'pos3JUwNWA', 'lOf3MhhA8g', 'n863cqGgXV'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, hxQAyEPkVUnir0mqK7.cs	High entropy of concatenated method names: 'vcsqj7bqfr', 'uivqv0brPO', 'EwBqH4B36e', 'mjVqZOHhgv', 'qfjqRfwDJk', 'e1Bqxm6JNa', 'nMXqssQLgD', 'nFlqPxrWg1', 'MjlqpYj8Tn', 'CHGqol9Spy'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, f6ijMJHORTQRhNugqL.cs	High entropy of concatenated method names: 'Dispose', 'g9WAKlRnb6', 'XhqVUeR2BV', 'U9vGGhuAMq', 'PPyACj87Kr', 'FScAzneM7v', 'ProcessDialogKey', 'C6GVGjX7Sv', 'jtbVAl4V0t', 'XAeVVB8YJ6'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, WLiWCAcvwIfxDKCaWi.cs	High entropy of concatenated method names: 'ToString', 'igQuLDVyDD', 'kdruUNml9f', 'xjauDtEpHq', 'EgLu93fV1P', 'GCluBUKZmZ', 'oQWuIq4dmV', 'QUhubWyBrw', 'FYWuOUYrsX', 'E4wuEOltyO'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, kyj87KTr7ScneM7v26.cs	High entropy of concatenated method names: 'plCQvxEf01', 'XGaQHXS2hu', 'hm3QZypwaZ', 'aAWQRpvqbc', 'eCoQxjdrmi', 'k7aQsJqiI1', 'a03QPSwyiq', 'bKfQpHlGwW', 'NlwQoeeV4Q', 'dkPQtIBUFL'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, e7iHOazfdRADLFCyRX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CbFmeSxOJx', 'wdrm18NP2O', 'WNdmuOfnFQ', 'cs1m38lhVU', 'ceUmQxMkAV', 'PQcmmfOJD5', 'g4emaKE7yJ'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, WMgNXPg2RPSOrhK9eh.cs	High entropy of concatenated method names: 'TjKeW6uuhl', 'JXaeNak938', 'DUfe79wOjP', 'JZBeUGwj6a', 'B8ue90HnLg', 'mOSeBFsg97', 'jdKeb4XNuj', 'fLjeOOlJUe', 'zD1elAbgA7', 'SlBeLQwPAF'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, TWS96jZxAX3EN502gS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NCLVKjoOGe', 'J3aVC65g2J', 'nKvVzcmJkP', 'UdRqGQQncQ', 'ayMqAQjPUp', 'YyuqVjS1j2', 'lq7qqnsDgr', 'AnP8IBzLo4heWACJmJ'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, yoC8k9AGeE8sgPPbwXA.cs	High entropy of concatenated method names: 'QDlmS25Jsq', 'JYumnoZws9', 'poYmr8lGNv', 'IRUm0MaH8k', 'pvUm4ThjHS', 'IMhm2R26Kr', 'NwxmdRDWpi', 'PvWmWnCle1', 'mmhmN6vLPA', 'XtmmF9qsUT'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, WnrTXVbngDZ3l5EyUi.cs	High entropy of concatenated method names: 'C6qsvkEMuJ', 'sU8sZI8ecH', 'vk6sxtLQGc', 'a9QxCfCQsl', 'fyhxzvp9QX', 'TCPsG20i6S', 'BYFsAYwXGd', 'NgnsVYGuNv', 'qbdsqKWHQJ', 'oT5sY5xSq0'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, GuVZeiWWGgyIsVPOZB.cs	High entropy of concatenated method names: 'hF7HJBiPwH', 'j1YHMI118Y', 'ce1Hc5DkQT', 'E0WH8cGuox', 'V0eHhT1jbp', 'weGHyuOcHq', 'qAaH5aie6X', 'x1wHT8S8cr', 'tXoHKdV8qc', 'XUnHCkddwl'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, J8YJ6nCparoCklRBhk.cs	High entropy of concatenated method names: 'OdemAsdVH6', 'dekmq8MPrV', 'bsEmYZtRU9', 'TqKmvaDUWB', 'aoRmHfCoyo', 'tGZmRf2hbN', 'KhymxNdQfB', 'fsyQ55L4Yg', 'FRSQTxesBd', 'QrwQKl5Wh6'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, e6csmyNd1AuCqsOHuU.cs	High entropy of concatenated method names: 'Re7Z0N6w07', 'UClZ2UkCZs', 'tOIZW0hHJL', 'hGAZNw4gA5', 'RUQZ1vdC3o', 'lLoZuloGso', 'DllZ3mHlmy', 'nWaZQemowf', 'dPVZmZW54H', 'JywZa10SRi'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, R92djQEdSh5jkUnu7Y.cs	High entropy of concatenated method names: 'RFgsSkmWxD', 'hyYsnyxpcB', 'qassrl3ws5', 'wv0s047Uua', 'vTQs4muanQ', 'tXTs2Ngl5D', 'Q5psd8PDBQ', 'e2HsWqv4Km', 'BdQsNFIthg', 'sDXsFP8oZ4'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, ajX7SvKstbl4V0tKAe.cs	High entropy of concatenated method names: 'rLcQ7qDm4V', 'MS1QUtK6OX', 'raVQDPtmsg', 'Oc7Q9yZraa', 'pSaQJmcfJD', 'g4kQBFGvtw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, dBKwEy8HgOOo4pITZv.cs	High entropy of concatenated method names: 'Mw23oEYFvY', 'B053t70mF7', 'ToString', 'OD43vQRfgJ', 'Avv3HRtxVQ', 'p9d3ZkxhMN', 'V2s3RMS0bh', 'aef3xgUBxo', 'lYS3s06pnc', 'HXY3Pk76dN'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, kQ6WtiAqcS5W9tw0Oxs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7DaJuaw7A', 'tgIaMIOEAV', 'rt9acop79a', 'iUMa8VqfaN', 'N0nahGgG28', 'rh4ayENCgB', 'Udxa5rcUTJ'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, tFIMTA79oCEVXEbenh.cs	High entropy of concatenated method names: 'XUTxjK4Woj', 'VVQxHQvYJj', 'WgaxRYJcfy', 'FJbxs3fpwa', 'BwCxPkC0U5', 'Jy2RhO9jMZ', 'ATERypmftS', 'i2cR5upHoM', 'acqRTWjaiw', 'PwPRKJQw9W'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, xdVRuwVnxyYCMZQs8n.cs	High entropy of concatenated method names: 'O5krvD0OT', 'eQO0C377x', 'H1Y25QDcO', 'L3QdwFmTE', 'NZrNynmGt', 'YxOFxuSMM', 'jOOjjlZu3PLatRliU8', 'V58a8IE0CyRCCoJ09h', 'KOdQtuFon', 'K4gamTItu'
Source: 0.2.2998MOD PO.exe.45df058.0.raw.unpack, xKPA6QYeUQDw6KZEyv.cs	High entropy of concatenated method names: 'YIUAsuVZei', 'DGgAPyIsVP', 'Vd1AoAuCqs', 'MHuAtUCx0G', 'NP5A1i8fFI', 'RTAAu9oCEV', 'n6gmfh5pChGwbgX4pJ', 'jNpIZ2vXCOO8H7Z3o3', 'A1XAA6Ty1v', 'euMAqjvVIi'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, Yx0GApFkpsOyylP5i8.cs	High entropy of concatenated method names: 'sA2R4ibK34', 'tv1RdkLVgM', 'UXFZDEmtjX', 'URKZ9A06Jg', 'aTiZBUJliv', 'BrRZIM0HI6', 'ejrZb5ZtQ6', 'TWYZO2LRhh', 'EDUZENVdrs', 'l2DZl7rByE'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, BD0tkRyW0NvFS0Kras.cs	High entropy of concatenated method names: 'Ldk3TZ8LQs', 'Dkv3CBQhnb', 'DyfQG8jBBo', 'PJmQAD6PDC', 't5n3LrI8fd', 'BZx3kIeIjZ', 'g0p3gxV9LY', 'pos3JUwNWA', 'lOf3MhhA8g', 'n863cqGgXV'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, hxQAyEPkVUnir0mqK7.cs	High entropy of concatenated method names: 'vcsqj7bqfr', 'uivqv0brPO', 'EwBqH4B36e', 'mjVqZOHhgv', 'qfjqRfwDJk', 'e1Bqxm6JNa', 'nMXqssQLgD', 'nFlqPxrWg1', 'MjlqpYj8Tn', 'CHGqol9Spy'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, f6ijMJHORTQRhNugqL.cs	High entropy of concatenated method names: 'Dispose', 'g9WAKlRnb6', 'XhqVUeR2BV', 'U9vGGhuAMq', 'PPyACj87Kr', 'FScAzneM7v', 'ProcessDialogKey', 'C6GVGjX7Sv', 'jtbVAl4V0t', 'XAeVVB8YJ6'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, WLiWCAcvwIfxDKCaWi.cs	High entropy of concatenated method names: 'ToString', 'igQuLDVyDD', 'kdruUNml9f', 'xjauDtEpHq', 'EgLu93fV1P', 'GCluBUKZmZ', 'oQWuIq4dmV', 'QUhubWyBrw', 'FYWuOUYrsX', 'E4wuEOltyO'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, kyj87KTr7ScneM7v26.cs	High entropy of concatenated method names: 'plCQvxEf01', 'XGaQHXS2hu', 'hm3QZypwaZ', 'aAWQRpvqbc', 'eCoQxjdrmi', 'k7aQsJqiI1', 'a03QPSwyiq', 'bKfQpHlGwW', 'NlwQoeeV4Q', 'dkPQtIBUFL'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, e7iHOazfdRADLFCyRX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CbFmeSxOJx', 'wdrm18NP2O', 'WNdmuOfnFQ', 'cs1m38lhVU', 'ceUmQxMkAV', 'PQcmmfOJD5', 'g4emaKE7yJ'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, WMgNXPg2RPSOrhK9eh.cs	High entropy of concatenated method names: 'TjKeW6uuhl', 'JXaeNak938', 'DUfe79wOjP', 'JZBeUGwj6a', 'B8ue90HnLg', 'mOSeBFsg97', 'jdKeb4XNuj', 'fLjeOOlJUe', 'zD1elAbgA7', 'SlBeLQwPAF'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, TWS96jZxAX3EN502gS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NCLVKjoOGe', 'J3aVC65g2J', 'nKvVzcmJkP', 'UdRqGQQncQ', 'ayMqAQjPUp', 'YyuqVjS1j2', 'lq7qqnsDgr', 'AnP8IBzLo4heWACJmJ'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, yoC8k9AGeE8sgPPbwXA.cs	High entropy of concatenated method names: 'QDlmS25Jsq', 'JYumnoZws9', 'poYmr8lGNv', 'IRUm0MaH8k', 'pvUm4ThjHS', 'IMhm2R26Kr', 'NwxmdRDWpi', 'PvWmWnCle1', 'mmhmN6vLPA', 'XtmmF9qsUT'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, WnrTXVbngDZ3l5EyUi.cs	High entropy of concatenated method names: 'C6qsvkEMuJ', 'sU8sZI8ecH', 'vk6sxtLQGc', 'a9QxCfCQsl', 'fyhxzvp9QX', 'TCPsG20i6S', 'BYFsAYwXGd', 'NgnsVYGuNv', 'qbdsqKWHQJ', 'oT5sY5xSq0'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, GuVZeiWWGgyIsVPOZB.cs	High entropy of concatenated method names: 'hF7HJBiPwH', 'j1YHMI118Y', 'ce1Hc5DkQT', 'E0WH8cGuox', 'V0eHhT1jbp', 'weGHyuOcHq', 'qAaH5aie6X', 'x1wHT8S8cr', 'tXoHKdV8qc', 'XUnHCkddwl'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, J8YJ6nCparoCklRBhk.cs	High entropy of concatenated method names: 'OdemAsdVH6', 'dekmq8MPrV', 'bsEmYZtRU9', 'TqKmvaDUWB', 'aoRmHfCoyo', 'tGZmRf2hbN', 'KhymxNdQfB', 'fsyQ55L4Yg', 'FRSQTxesBd', 'QrwQKl5Wh6'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, e6csmyNd1AuCqsOHuU.cs	High entropy of concatenated method names: 'Re7Z0N6w07', 'UClZ2UkCZs', 'tOIZW0hHJL', 'hGAZNw4gA5', 'RUQZ1vdC3o', 'lLoZuloGso', 'DllZ3mHlmy', 'nWaZQemowf', 'dPVZmZW54H', 'JywZa10SRi'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, R92djQEdSh5jkUnu7Y.cs	High entropy of concatenated method names: 'RFgsSkmWxD', 'hyYsnyxpcB', 'qassrl3ws5', 'wv0s047Uua', 'vTQs4muanQ', 'tXTs2Ngl5D', 'Q5psd8PDBQ', 'e2HsWqv4Km', 'BdQsNFIthg', 'sDXsFP8oZ4'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, ajX7SvKstbl4V0tKAe.cs	High entropy of concatenated method names: 'rLcQ7qDm4V', 'MS1QUtK6OX', 'raVQDPtmsg', 'Oc7Q9yZraa', 'pSaQJmcfJD', 'g4kQBFGvtw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, dBKwEy8HgOOo4pITZv.cs	High entropy of concatenated method names: 'Mw23oEYFvY', 'B053t70mF7', 'ToString', 'OD43vQRfgJ', 'Avv3HRtxVQ', 'p9d3ZkxhMN', 'V2s3RMS0bh', 'aef3xgUBxo', 'lYS3s06pnc', 'HXY3Pk76dN'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, kQ6WtiAqcS5W9tw0Oxs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7DaJuaw7A', 'tgIaMIOEAV', 'rt9acop79a', 'iUMa8VqfaN', 'N0nahGgG28', 'rh4ayENCgB', 'Udxa5rcUTJ'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, tFIMTA79oCEVXEbenh.cs	High entropy of concatenated method names: 'XUTxjK4Woj', 'VVQxHQvYJj', 'WgaxRYJcfy', 'FJbxs3fpwa', 'BwCxPkC0U5', 'Jy2RhO9jMZ', 'ATERypmftS', 'i2cR5upHoM', 'acqRTWjaiw', 'PwPRKJQw9W'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, xdVRuwVnxyYCMZQs8n.cs	High entropy of concatenated method names: 'O5krvD0OT', 'eQO0C377x', 'H1Y25QDcO', 'L3QdwFmTE', 'NZrNynmGt', 'YxOFxuSMM', 'jOOjjlZu3PLatRliU8', 'V58a8IE0CyRCCoJ09h', 'KOdQtuFon', 'K4gamTItu'
Source: 0.2.2998MOD PO.exe.4666e78.1.raw.unpack, xKPA6QYeUQDw6KZEyv.cs	High entropy of concatenated method names: 'YIUAsuVZei', 'DGgAPyIsVP', 'Vd1AoAuCqs', 'MHuAtUCx0G', 'NP5A1i8fFI', 'RTAAu9oCEV', 'n6gmfh5pChGwbgX4pJ', 'jNpIZ2vXCOO8H7Z3o3', 'A1XAA6Ty1v', 'euMAqjvVIi'

Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4

Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: 4B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: 8CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: 7540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: B630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: C630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Memory allocated: D630000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2998MOD PO.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 1.6 %

Source: C:\Users\user\Desktop\2998MOD PO.exe TID: 7352	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe TID: 7988	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: sePlrCtAXqpc.exe, 00000009.00000002.3562517847.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: colorcpl.exe, 00000008.00000002.2287863958.0000000002F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ(y

Source: C:\Users\user\Desktop\2998MOD PO.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: NULL target: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2998MOD PO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\uZYYnmPedNYIjWqPsWOYKeetmwkKyGZUKAuFniHMcygNfALrFzFrLvWGPJTnONRCeIDRYuvUw\sePlrCtAXqpc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior

Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: sePlrCtAXqpc.exe, 00000007.00000000.1954566994.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000007.00000002.3560799779.0000000001960000.00000002.00000001.00040000.00000000.sdmp, sePlrCtAXqpc.exe, 00000009.00000002.3562768183.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Name	IP	Active
ladylawher.org	3.33.130.190	true
www.ladylawher.org	unknown	unknown

ID:	1542414
Product:	CloudBasic
Start time:	22:08:57
Start date:	25.10.2024
Sample:	2998MOD PO.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	eba2ade6a60568538d8b918f65fa2f44
SHA1:	fbb6cb7c1c403502560bfe74340b06f31775a7eb
SHA256:	7b70d479034f458a6b695cc3c8aefd50c771ec183b749276aa66d18a6a33466c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2998MOD PO.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\Ea64OHKq	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3

Windows Analysis Report 2998MOD PO.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
2998MOD PO.exe

Malware Threat Intel
Provided by