Windows Analysis Report
Pictures.exe

Overview

General Information

Sample name: Pictures.exe
Analysis ID: 1432279
MD5: 0017413629107fb8b1a300fe714798a7
SHA1: 4168ee9a4bbbb6541741b17481da79808c7a9d6d
SHA256: b31fb6f44818b2df444399a417c3323fd98234c5546235cc863494a22992a5a7
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
PE file has a writeable .text section
Sigma detected: System File Execution Location Anomaly
Sigma detected: Uncommon Userinit Child Process
Contains functionality to dynamically determine API calls
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May infect USB drives
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Userinit Child Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Pictures.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Windows\SysWOW64\system.exe ReversingLabs: Detection: 100%
Source: C:\Windows\userinit.exe ReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: Pictures.exe ReversingLabs: Detection: 100%
Machine Learning detection for sample
Source: Pictures.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Pictures.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
May infect USB drives
Source: Pictures.exe Binary or memory string: \AutoRun.inf
Source: Pictures.exe Binary or memory string: D:\AutoRun.inf
Source: Pictures.exe Binary or memory string: [autorun]
Source: Pictures.exe Binary or memory string: [AutoRun]
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: \AutoRun.inf
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: [autorun]
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: D:\AutoRun.inf
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe Binary or memory string: \AutoRun.inf
Source: system.exe Binary or memory string: D:\AutoRun.inf
Source: system.exe Binary or memory string: [autorun]
Source: system.exe Binary or memory string: [AutoRun]
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: \AutoRun.inf
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: D:\AutoRun.inf
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Pictures.exe
PE file has a writeable .text section
Source: Pictures.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: userinit.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Windows\userinit.exe Jump to behavior
Source: C:\Windows\userinit.exe File created: C:\Windows\kdcoms.dll Jump to behavior
Source: C:\Windows\userinit.exe File created: C:\Windows\SysWOW64\system.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0052000D 0_2_0052000D
Source: C:\Windows\SysWOW64\system.exe Code function: 3_2_0052000D 3_2_0052000D
Source: C:\Windows\SysWOW64\system.exe Code function: 4_2_0051000D 4_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 5_2_0051000D 5_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 6_2_0051000D 6_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 7_2_0044000D 7_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 8_2_0044000D 8_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 9_2_0051000D 9_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 10_2_0062000D 10_2_0062000D
Source: C:\Windows\SysWOW64\system.exe Code function: 11_2_0044000D 11_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 13_2_0051000D 13_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 14_2_0044000D 14_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 17_2_0051000D 17_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 18_2_0051000D 18_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 19_2_0044000D 19_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 20_2_0051000D 20_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 21_2_0044000D 21_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 22_2_0045000D 22_2_0045000D
Source: C:\Windows\SysWOW64\system.exe Code function: 23_2_0051000D 23_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 24_2_0052000D 24_2_0052000D
Source: C:\Windows\SysWOW64\system.exe Code function: 25_2_0044000D 25_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 26_2_0051000D 26_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 27_2_0051000D 27_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 28_2_0051000D 28_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 29_2_0044000D 29_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 30_2_0044000D 30_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 31_2_0051000D 31_2_0051000D
Source: C:\Windows\SysWOW64\system.exe Code function: 32_2_0044000D 32_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 33_2_0044000D 33_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 34_2_0045000D 34_2_0045000D
Source: C:\Windows\SysWOW64\system.exe Code function: 35_2_0052000D 35_2_0052000D
Source: C:\Windows\SysWOW64\system.exe Code function: 37_2_0054000D 37_2_0054000D
Source: C:\Windows\SysWOW64\system.exe Code function: 38_2_0044000D 38_2_0044000D
Source: C:\Windows\SysWOW64\system.exe Code function: 39_2_0051000D 39_2_0051000D
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\system.exe Code function: String function: 00401218 appears 32 times
Sample file is different than original file name gathered from version info
Source: Pictures.exe Binary or memory string: OriginalFilename vs Pictures.exe
Source: Pictures.exe, 00000000.00000000.2093480164.0000000000430000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamehoney.exe vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000430000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamehoney.exe vs Pictures.exe
Source: Pictures.exe Binary or memory string: OriginalFilenamehoney.exe vs Pictures.exe
Uses 32bit PE files
Source: Pictures.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Pictures.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: userinit.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exe Binary or memory string: *\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmp, system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: @*\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp *m
Source: system.exe, system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: @*\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp
Source: classification engine Classification label: mal100.evad.winEXE@626/38@0/0
Source: C:\Windows\SysWOW64\system.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Users\user\AppData\Local\Temp\~DFC5FDE2593792060A.TMP Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Pictures.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Users\user\Desktop\Pictures.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe "C:\Users\user\Desktop\Pictures.exe"
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\userinit.exe C:\Windows\userinit.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\userinit.exe C:\Windows\userinit.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\userinit.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\userinit.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\userinit.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\userinit.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\userinit.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\userinit.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\userinit.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exe Section loaded: sxs.dll

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Pictures.exe Unpacked PE file: 0.2.Pictures.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 3.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 4.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 5.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 6.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 7.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 8.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 9.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 10.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 11.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 13.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 14.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 17.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 18.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 19.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 20.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 21.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 22.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 23.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 24.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 25.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 26.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 27.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 28.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 29.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 30.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 31.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 32.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 33.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 34.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 35.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 37.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 38.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exe Unpacked PE file: 39.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_00520AD3 LoadLibraryA,GetProcAddress, 0_2_00520AD3
PE file contains an invalid checksum
Source: system.exe.2.dr Static PE information: real checksum: 0x1b443 should be: 0x17b87
Source: userinit.exe.0.dr Static PE information: real checksum: 0x1b443 should be: 0x17b87
Source: Pictures.exe Static PE information: real checksum: 0x1b443 should be: 0x17b87
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC50 push 00401212h; ret 0_2_0040BC63
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040C852 push 00401212h; ret 0_2_0040C865
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC64 push 00401212h; ret 0_2_0040BC77
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC78 push 00401212h; ret 0_2_0040BC8B
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC00 push 00401212h; ret 0_2_0040BC13
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040C802 push 00401212h; ret 0_2_0040C815
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC14 push 00401212h; ret 0_2_0040BC27
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040C816 push 00401212h; ret 0_2_0040C829
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC28 push 00401212h; ret 0_2_0040BC3B
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040C82A push 00401212h; ret 0_2_0040C83D
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC3C push 00401212h; ret 0_2_0040BC4F
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040C83E push 00401212h; ret 0_2_0040C851
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BCC8 push 00401212h; ret 0_2_0040BCDB
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BCDC push 00401212h; ret 0_2_0040BCEF
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BCF0 push 00401212h; ret 0_2_0040BD03
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BC8C push 00401212h; ret 0_2_0040BC9F
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BCA0 push 00401212h; ret 0_2_0040BCB3
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BCB4 push 00401212h; ret 0_2_0040BCC7
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BD40 push 00401212h; ret 0_2_0040BD53
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BD54 push 00401212h; ret 0_2_0040BD67
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BD68 push 00401212h; ret 0_2_0040BD7B
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BD7C push 00401212h; ret 0_2_0040BD8F
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BD04 push 00401212h; ret 0_2_0040BD17
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BD18 push 00401212h; ret 0_2_0040BD2B
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BD2C push 00401212h; ret 0_2_0040BD3F
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040C934 push esp; retf 0_2_0040C935
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BDCC push 00401212h; ret 0_2_0040BDDF
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040A9DC push 00401212h; ret 0_2_0040AACB
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BDE0 push 00401212h; ret 0_2_0040BDF3
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_0040BDF4 push 00401212h; ret 0_2_0040BE07
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_004031FE push edi; iretd 0_2_004033CC
Source: Pictures.exe Static PE information: section name: .text entropy: 7.992500880288964
Source: userinit.exe.0.dr Static PE information: section name: .text entropy: 7.992500880288964
Source: system.exe.2.dr Static PE information: section name: .text entropy: 7.992500880288964

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Windows\userinit.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\userinit.exe Executable created and started: C:\Windows\SysWOW64\system.exe Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Executable created and started: C:\Windows\userinit.exe Jump to behavior
Drops PE files
Source: C:\Windows\userinit.exe File created: C:\Windows\SysWOW64\system.exe Jump to dropped file
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Windows\userinit.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\userinit.exe File created: C:\Windows\SysWOW64\system.exe Jump to dropped file
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Windows\userinit.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\userinit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\userinit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exe Process information set: NOOPENFILEERRORBOX
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\userinit.exe Window / User API: foregroundWindowGot 1775 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Pictures.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_00520AD3 LoadLibraryA,GetProcAddress, 0_2_00520AD3
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432279 Sample: Pictures.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Machine Learning detection for sample 2->32 34 4 other signatures 2->34 7 Pictures.exe 2 2->7         started        process3 file4 24 C:\Windows\userinit.exe, PE32 7->24 dropped 36 Detected unpacking (changes PE section rights) 7->36 38 Drops executables to the windows directory (C:\Windows) and starts them 7->38 40 Drops PE files with benign system names 7->40 11 userinit.exe 1 3 7->11         started        signatures5 process6 file7 26 C:\Windows\SysWOW64\system.exe, PE32 11->26 dropped 42 Multi AV Scanner detection for dropped file 11->42 44 Creates an undocumented autostart registry key 11->44 46 Drops executables to the windows directory (C:\Windows) and starts them 11->46 15 system.exe 1 11->15         started        18 system.exe 1 11->18         started        20 system.exe 1 11->20         started        22 30 other processes 11->22 signatures8 process9 signatures10 48 Multi AV Scanner detection for dropped file 15->48 50 Detected unpacking (changes PE section rights) 15->50
No contacted IP infos