colorcpl.exe

  • File Path: C:\Windows\system32\colorcpl.exe
  • Description: Microsoft Color Control Panel

Screenshot

colorcpl.exe

Hashes

Type Hash
MD5 7009947CFC65EA513ED9EBD37EC63C62
SHA1 62B0273CD43E21DC9E55A100BE1F7C52D6C5F249
SHA256 86C19BC9523FB84EEF1A18AF66ACED909C32FEDBAD9988397A8367A836BBB2E0
SHA384 B71E7970CD5AA3C28E8909F4DABAF3F889BD9D12D2D233BB4E0EB1BEBF62902B671B51891B49F092B319E1BD2B1F408F
SHA512 514DFB6B4CFAC6BCB7B70B810A1FDBBFF6E21EBDBD0DE3929045E53520B9045D9CCCD9897996800875184415693AE1D4A7E0DA1C9F5307D12CE49FD480C7E7A3
SSDEEP 1536:wf7sbIPfSbS9vMBN7rQOJ7CFToTCzhcRguhwxTyPCb3lZpdym4dy7p:a4EXlvq7jSP1cR2prbpdCY9
IMP BF699192BC903253BE75CBD63776138C
PESHA1 3CB5DE3671DE72DB42C1A002BEAFC680FD6E2157
PE256 C711DCD79F719F80C5438AFC58B255D35F5E08333FBCDE7B903FAA95FF473EE8

Runtime Data

Window Title:

Color Management

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\colorcpl.exe.mui File
(R-D) C:\Windows\System32\en-US\colorui.dll.mui File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\system32\colorcpl.exe
C:\Windows\system32\colorui.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLE32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\system32\WINSPOOL.DRV

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: colorcpl.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/86c19bc9523fb84eef1a18af66aced909c32fedbad9988397a8367a836bbb2e0/detection

File Similarity (ssdeep match)

File Score
C:\windows\system32\colorcpl.exe 94
C:\WINDOWS\system32\colorcpl.exe 94
C:\Windows\system32\colorcpl.exe 96
C:\WINDOWS\system32\colorcpl.exe 93
C:\Windows\system32\colorcpl.exe 96
C:\windows\SysWOW64\colorcpl.exe 93
C:\WINDOWS\SysWOW64\colorcpl.exe 94
C:\Windows\SysWOW64\colorcpl.exe 96
C:\Windows\SysWOW64\colorcpl.exe 94
C:\Windows\SysWOW64\colorcpl.exe 97
C:\WINDOWS\SysWOW64\colorcpl.exe 94

Possible Misuse

The following table contains possible examples of colorcpl.exe being misused. While colorcpl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_susp_colorcpl.yml title: Suspicious Creation with Colorcpl DRL 1.0
sigma file_event_win_susp_colorcpl.yml description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ DRL 1.0
sigma file_event_win_susp_colorcpl.yml Image\|endswith: \colorcpl.exe DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.