colorcpl.exe

  • File Path: C:\Windows\system32\colorcpl.exe
  • Description: Microsoft Color Control Panel

Screenshot

colorcpl.exe

Hashes

Type Hash
MD5 F24913A27288728064D4B1EE4FBC2354
SHA1 81289E917142E9C188DBEBAEDB280772F7F9AFA0
SHA256 C57CB5E7B90F921FB9C6F4992513D58941397F7ADBB03ACDFAC1E36E7E763A31
SHA384 89E5C19EB933B1425A0259839B1972FFC7F6FB7EFE455A651E748121535BF9D0FF9C6FC65EA1B16F32043CC20CD3E763
SHA512 43C7A0F67697DE959F51D74A3A4D66FCEDF1879A9C6EF0461DD216E0F976C4849860FC314FCD9C0A1B1B7B82ADAFCB2A3678E409D041B5BD89CB91793EF9F0AE
SSDEEP 1536:btiIPfSbS9vMBN7rQOJ7CFToTCzhcRguhwxTyPCb3lZpdym4dy7p:x1Xlvq7jSP1cR2prbpdCY9
IMP BF699192BC903253BE75CBD63776138C
PESHA1 D335F44F8B4DFFEDEEE538878286F58E01F253B4
PE256 1128663FA2D0AA6354001180F084923D95B6A6FD51943487933088A92BDBBD0E

Runtime Data

Window Title:

Color Management

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\colorcpl.exe.mui File
(R-D) C:\Windows\System32\en-US\colorui.dll.mui File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\SYSTEM32\atlthunk.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\system32\ColorAdapterClient.dll
C:\Windows\system32\colorcpl.exe
C:\Windows\system32\colorui.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\SYSTEM32\DUser.dll
C:\Windows\system32\dwmapi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\system32\IPHLPAPI.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\system32\mscms.dll
C:\Windows\System32\MSCTF.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\system32\PROPSYS.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SETUPAPI.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\SYSTEM32\sti.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\USERENV.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\SYSTEM32\WindowsCodecs.dll
C:\Windows\system32\WINSPOOL.DRV
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\comctl32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: colorcpl.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/c57cb5e7b90f921fb9c6f4992513d58941397f7adbb03acdfac1e36e7e763a31/detection/

File Similarity (ssdeep match)

File Score
C:\windows\system32\colorcpl.exe 96
C:\WINDOWS\system32\colorcpl.exe 96
C:\Windows\system32\colorcpl.exe 96
C:\Windows\system32\colorcpl.exe 96
C:\WINDOWS\system32\colorcpl.exe 94
C:\windows\SysWOW64\colorcpl.exe 94
C:\WINDOWS\SysWOW64\colorcpl.exe 97
C:\Windows\SysWOW64\colorcpl.exe 96
C:\Windows\SysWOW64\colorcpl.exe 100
C:\Windows\SysWOW64\colorcpl.exe 97
C:\WINDOWS\SysWOW64\colorcpl.exe 96

Possible Misuse

The following table contains possible examples of colorcpl.exe being misused. While colorcpl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_susp_colorcpl.yml title: Suspicious Creation with Colorcpl DRL 1.0
sigma file_event_win_susp_colorcpl.yml description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ DRL 1.0
sigma file_event_win_susp_colorcpl.yml Image\|endswith: \colorcpl.exe DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.