Analysis Report Pictures.bat

Overview

General Information

Sample Name: Pictures.bat (renamed file extension from bat to exe)
Analysis ID: 329739
MD5: 97df3062b2fda05a79936b955cff4351
SHA1: 3b373ce09cad268b3ae86454f4ba23d70e59770f
SHA256: 99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb
Tags: batHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: Pictures.exe.6464.7.memstr Malware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe ReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: Pictures.exe Virustotal: Detection: 30% Perma Link
Source: Pictures.exe ReversingLabs: Detection: 41%
Antivirus or Machine Learning detection for unpacked file
Source: 23.2.Pictures.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 23.2.Pictures.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.2.Pictures.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.Pictures.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 35.2.Pictures.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 35.2.Pictures.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473

Spreading:

barindex
May infect USB drives
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_063126D9
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_0631326B
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_06312B99
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_06312835
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07E52F4C
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07E53715
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07E5362B
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07E52C27
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then call 0584A6E8h 7_2_07E52962
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07E52962
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then call 0584A6E8h 7_2_07E52878
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07E52878
Source: C:\Users\user\Desktop\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 7_2_07FBFE8A

Networking:

barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: hastebin.com
Source: unknown DNS query: name: hastebin.com
Source: unknown DNS query: name: hastebin.com
Source: unknown DNS query: name: hastebin.com
Source: unknown DNS query: name: hastebin.com
Source: unknown DNS query: name: hastebin.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49777 -> 199.193.7.228:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.193.7.228 199.193.7.228
Source: Joe Sandbox View IP Address: 104.24.126.89 104.24.126.89
Source: Joe Sandbox View IP Address: 172.67.143.180 172.67.143.180
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49777 -> 199.193.7.228:587
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: hastebin.com
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Pictures.exe, 00000007.00000002.826574153.0000000008074000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WerFault.exe, 00000013.00000003.772377584.0000000003485000.00000004.00000001.sdmp String found in binary or memory: http://crl.micro
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.743322819.0000000005BA0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Pictures.exe, 00000007.00000002.813515212.0000000003300000.00000004.00000001.sdmp String found in binary or memory: http://smtp.privateemail.com
Source: Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://wI5CH./
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com6
Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comF
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comopsz
Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comx
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Pictures.exe, 00000007.00000003.695701608.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Pictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Pictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html6
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Pictures.exe, 00000007.00000003.698812159.0000000006367000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Pictures.exe, 00000007.00000002.812029938.00000000018C7000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comceom
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Pictures.exe, 00000007.00000003.688584334.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn//wS5IH..
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Pictures.exe, 00000007.00000003.688773365.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn=I
Source: Pictures.exe, 00000007.00000003.688698853.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnMIr4
Source: Pictures.exe, 00000007.00000003.703414982.0000000006368000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krk5
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Pictures.exe, 00000007.00000003.690785551.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com-u
Source: Pictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com7
Source: Pictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.coml
Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krM
Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krN.TTF
Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krP
Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krY5RI
Source: Pictures.exe, 00000007.00000002.813738725.000000000333B000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Pictures.exe, 00000007.00000003.695329896.0000000006365000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000003.700552872.0000000006368000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Pictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deP
Source: Pictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.dee
Source: Pictures.exe, 00000007.00000003.700382243.0000000006368000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deve
Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Pictures.exe, 00000007.00000003.689287299.0000000006368000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: https://hastebin.com
Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmp String found in binary or memory: https://hastebin.com/raw/yonozilace
Source: Pictures.exe, 00000000.00000002.745005062.0000000002DA1000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860989789.000000000254D000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880538593.0000000002D61000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
Source: Yara match File source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_063105B4 SetWindowsHookExA 0000000D,00000000,?,? 7_2_063105B4
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Pictures.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Pictures.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Pictures.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D739 GetKeyState,GetKeyState,GetKeyState, 7_2_0631D739
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D748 GetKeyState,GetKeyState,GetKeyState, 7_2_0631D748

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Pictures.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E56528 NtWriteVirtualMemory, 7_2_07E56528
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E56534 NtSetContextThread, 7_2_07E56534
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E56510 NtUnmapViewOfSection, 7_2_07E56510
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E5D000 NtWriteVirtualMemory, 7_2_07E5D000
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E565A0 NtSetContextThread, 7_2_07E565A0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E565AC NtUnmapViewOfSection, 7_2_07E565AC
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E56588 NtWriteVirtualMemory, 7_2_07E56588
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E56594 NtSetContextThread, 7_2_07E56594
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E56570 NtUnmapViewOfSection, 7_2_07E56570
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E56540 NtSetContextThread, 7_2_07E56540
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E5654C NtUnmapViewOfSection, 7_2_07E5654C
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E5E240 NtSetContextThread, 7_2_07E5E240
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E5C8A8 NtUnmapViewOfSection, 7_2_07E5C8A8
Detected potential crypto function
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_02BE3013 0_2_02BE3013
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_02BEEB68 0_2_02BEEB68
Source: C:\Users\user\Desktop\Pictures.exe Code function: 0_2_02BECF6C 0_2_02BECF6C
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0188B29C 7_2_0188B29C
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0188C310 7_2_0188C310
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_018899D0 7_2_018899D0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0188DFD0 7_2_0188DFD0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_063122B8 7_2_063122B8
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_06312BA8 7_2_06312BA8
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_06313BE8 7_2_06313BE8
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_063198C0 7_2_063198C0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D45B 7_2_0631D45B
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_063122A9 7_2_063122A9
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_06313BD7 7_2_06313BD7
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E51F68 7_2_07E51F68
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E544C0 7_2_07E544C0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07E55020 7_2_07E55020
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07FBB4E0 7_2_07FBB4E0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07FBB198 7_2_07FBB198
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07FB0040 7_2_07FB0040
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07FBEEC8 7_2_07FBEEC8
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07FBBDB0 7_2_07FBBDB0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07FB72D6 7_2_07FB72D6
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_07FB0006 7_2_07FB0006
Source: C:\Users\user\Desktop\Pictures.exe Code function: 18_2_01153011 18_2_01153011
Source: C:\Users\user\Desktop\Pictures.exe Code function: 18_2_0115EDBF 18_2_0115EDBF
Source: C:\Users\user\Desktop\Pictures.exe Code function: 18_2_0115EDC0 18_2_0115EDC0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 18_2_0115CF6C 18_2_0115CF6C
Source: C:\Users\user\Desktop\Pictures.exe Code function: 23_2_0101B29C 23_2_0101B29C
Source: C:\Users\user\Desktop\Pictures.exe Code function: 23_2_0101C310 23_2_0101C310
Source: C:\Users\user\Desktop\Pictures.exe Code function: 23_2_0101360E 23_2_0101360E
Source: C:\Users\user\Desktop\Pictures.exe Code function: 23_2_0101DFD0 23_2_0101DFD0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 24_2_02B93011 24_2_02B93011
Source: C:\Users\user\Desktop\Pictures.exe Code function: 24_2_02B9EB68 24_2_02B9EB68
Source: C:\Users\user\Desktop\Pictures.exe Code function: 24_2_02B9CF6C 24_2_02B9CF6C
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928
PE / OLE file has an invalid certificate
Source: Pictures.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Pictures.exe, 00000000.00000002.798932046.0000000007205000.00000004.00000001.sdmp Binary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.814200157.0000000007990000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.789987083.0000000006010000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.791513854.0000000006100000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.791513854.0000000006100000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Pictures.exe
Source: Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
Source: Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
Source: Pictures.exe, 00000007.00000002.810074546.000000000163A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Pictures.exe
Source: Pictures.exe, 00000007.00000002.807526784.0000000000482000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
Source: Pictures.exe Binary or memory string: OriginalFilename vs Pictures.exe
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
Source: Pictures.exe, 0000000C.00000002.872305373.00000000041C2000.00000004.00000001.sdmp Binary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
Source: Pictures.exe, 0000000C.00000002.881113039.0000000005720000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Pictures.exe
Source: Pictures.exe, 0000000C.00000002.889030911.0000000007080000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
Source: Pictures.exe, 00000012.00000002.883627368.0000000003D11000.00000004.00000001.sdmp Binary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
Source: Pictures.exe, 00000012.00000002.897918909.0000000007901000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
Source: Pictures.exe, 00000012.00000002.897748302.00000000077B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
Source: Pictures.exe, 00000012.00000002.895757719.0000000005E70000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Pictures.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: cryptnet.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: cryptnet.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: cryptnet.dll
Yara signature match
Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: Pictures.exe, 00000000.00000002.743556641.0000000000F5A000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@49/21@10/5
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1492
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6988
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3984
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2558.tmp Jump to behavior
Source: Pictures.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Pictures.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Pictures.exe Virustotal: Detection: 30%
Source: Pictures.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\Pictures.exe File read: C:\Users\user\Desktop\Pictures.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1840
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1092
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: unknown Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1652
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe'
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\Pictures.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Pictures.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Pictures.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Pictures.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb" source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: j(P:oLC:\Windows\Microsoft.VisualBasic.pdb source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.690755625.000000000564C000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.724899960.0000000005208000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbuntime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Pictures.exe, 00000007.00000002.828267747.000000000903B000.00000004.00000010.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.690633059.00000000037C5000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749777305.0000000005790000.00000004.00000040.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb`5; source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749777305.0000000005790000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdbT5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbP source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb65 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb@ source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
Source: Binary string: dhcpcsvc6.pdbx5# source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdbH5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
Source: Binary string: SnpEoVisualBasic.pdbd source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdbD source: Pictures.exe, 00000007.00000002.828267747.000000000903B000.00000004.00000010.sdmp
Source: Binary string: System.pdbO source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp
Source: Binary string: WinTypes.pdb05 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb` source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb$5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Pictures.PDB source: Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.899072158.0000000008CA0000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbl source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdbv source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.710589626.0000000003948000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.725513442.0000000003471000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: \\Pictures.PDB source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
Source: Binary string: comctl32.pdb0 source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbt source: WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: .pdb# source: Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: wbemsvc.pdbF source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: c.pdbis source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.710122529.000000000395E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: diasymreader.pdb{ source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: .pdb#( source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0 source: Pictures.exe, 00000007.00000002.826574153.0000000008074000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdbh source: WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: fastprox.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Pictures.exe, 00000000.00000002.743556641.0000000000F5A000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdbZ5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: indows.Forms.pdb&&% source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.899072158.0000000008CA0000.00000004.00000001.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.710589626.0000000003948000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb_ source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: schannel.pdbl57 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb! source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: anagement.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbbP source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbtF source: Pictures.exe, 00000012.00000002.899072158.0000000008CA0000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
Source: Binary string: (P:oLC:\Windows\Microsoft.VisualBasic.pdb source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb)dW source: Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ml.pdbe source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.726534804.0000000003477000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb~ source: WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749777305.0000000005790000.00000004.00000040.sdmp
Source: Binary string: ility.pdbn source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbf5= source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: Pictures.PDB source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp, Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb_?)u source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: DWrite.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: System.Management.pdb source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdbx source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop\Pictures.PDB source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb~5% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: rawing.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: (P:o0C:\Windows\mscorlib.pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: rasman.pdbB5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp
Source: Binary string: (P:oPC:\Windows\System.Runtime.Remoting.pdb source: Pictures.exe, 00000007.00000002.828267747.000000000903B000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb*) source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: npEoVisualBasic.pdb source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb: source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wmiutils.pdbR source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
Source: Binary string: hC:\Users\user\Desktop\Pictures.PDB source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: cldapi.pdb*5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: DWrite.pdbj source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.690633059.00000000037C5000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.724606099.0000000003465000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: ;c.pdbisA source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbA source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Pictures.PDBG source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: Pictures.exe, 00000007.00000002.826574153.0000000008074000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb< source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb<5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.726534804.0000000003477000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: S.pdb# source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
Source: Binary string: npEoVisualBasic.pdbd source: Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
Source: Binary string: .pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0188E672 push esp; ret 7_2_0188E679
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D4A7 push es; ret 7_2_0631D4BC
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631B4D0 push es; iretd 7_2_0631B4D4
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D4D3 push es; ret 7_2_0631D4D4
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D4C3 push es; ret 7_2_0631D4C4
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D4CB push es; ret 7_2_0631D4CC
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D58B push es; ret 7_2_0631D5A0
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_0631D5D7 push ebx; iretd 7_2_0631D621

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\Pictures.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shell Jump to behavior
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
Source: C:\Users\user\Desktop\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\Pictures.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Pictures.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WerFault.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Pictures.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Pictures.exe Window / User API: threadDelayed 1370 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Window / User API: threadDelayed 3374 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Pictures.exe TID: 6812 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 244 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 616 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6052 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 4936 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -99032s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -98032s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -97891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -97782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -97641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -97532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6488 Thread sleep time: -97391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe TID: 6184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Pictures.exe TID: 1280 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Pictures.exe TID: 1644 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Pictures.exe TID: 7092 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\SysWOW64\WerFault.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Pictures.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Pictures.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Pictures.exe Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Pictures.exe Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Pictures.exe Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Pictures.exe, 00000012.00000002.883627368.0000000003D11000.00000004.00000001.sdmp Binary or memory string: SC:\WINDOWS\system32\drivers\VBoxMouse.sysESOFTWARE\VMware, Inc.\VMware Tools
Source: Pictures.exe Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: WerFault.exe, 00000013.00000002.800025757.0000000005168000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: Pictures.exe, 00000012.00000002.883627368.0000000003D11000.00000004.00000001.sdmp Binary or memory string: KC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: WerFault.exe, 0000000A.00000002.732906162.00000000037D0000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000003.772628036.0000000003453000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Pictures.exe Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: Pictures.exe, 00000000.00000002.743556641.0000000000F5A000.00000004.00000020.sdmp, WerFault.exe, 0000000A.00000003.725877666.00000000037D0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Pictures.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\Pictures.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Pictures.exe Code function: 7_2_063145B0 LdrInitializeThunk, 7_2_063145B0
Enables debug privileges
Source: C:\Users\user\Desktop\Pictures.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Pictures.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Pictures.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Pictures.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.Pictures.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 23.2.Pictures.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Pictures.exe Memory written: C:\Users\user\Desktop\Pictures.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Memory written: unknown base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Memory written: unknown base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Memory written: C:\Users\user\Desktop\Pictures.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Memory written: C:\Users\user\Desktop\Pictures.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\Pictures.exe Memory written: unknown base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769 Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
Source: C:\Users\user\Desktop\Pictures.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Pictures.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Process created: unknown unknown

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Pictures.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Pictures.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Pictures.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
Source: Yara match File source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
Source: Yara match File source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
Source: Yara match File source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe, 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp String found in binary or memory: k&HawkEye_Keylogger_Execution_Confirmed_
Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp String found in binary or memory: k"HawkEye_Keylogger_Stealer_Records_
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
Source: Yara match File source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 329739 Sample: Pictures.bat Startdate: 13/12/2020 Architecture: WINDOWS Score: 100 73 164.204.10.0.in-addr.arpa 2->73 75 smtp.privateemail.com 2->75 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 11 other signatures 2->95 8 Pictures.exe 18 5 2->8         started        13 Pictures.exe 3 2->13         started        15 Pictures.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 85 hastebin.com 172.67.143.180, 443, 49749, 49775 CLOUDFLARENETUS United States 8->85 69 C:\Users\user\AppData\...\Pictures.exe, PE32 8->69 dropped 71 C:\Users\...\Pictures.exe:Zone.Identifier, ASCII 8->71 dropped 103 Creates an undocumented autostart registry key 8->103 105 Drops PE files to the startup folder 8->105 107 Contains functionality to register a low level keyboard hook 8->107 19 Pictures.exe 4 8->19         started        23 WerFault.exe 23 9 8->23         started        26 cmd.exe 1 8->26         started        87 104.24.126.89, 443, 49755, 49757 CLOUDFLARENETUS United States 13->87 109 Hides threads from debuggers 13->109 111 Injects a PE file into a foreign processes 13->111 28 Pictures.exe 13->28         started        30 WerFault.exe 13->30         started        32 cmd.exe 13->32         started        34 WerFault.exe 15->34         started        36 2 other processes 15->36 113 Creates autostart registry keys with suspicious names 17->113 115 Creates multiple autostart registry keys 17->115 38 2 other processes 17->38 file6 signatures7 process8 dnsIp9 77 164.204.10.0.in-addr.arpa 19->77 79 smtp.privateemail.com 199.193.7.228, 49777, 49793, 587 NAMECHEAP-NETUS United States 19->79 81 192.168.2.1 unknown unknown 19->81 97 Changes the view of files in windows explorer (hidden files and folders) 19->97 99 Installs a global keyboard hook 19->99 101 Injects a PE file into a foreign processes 19->101 40 WerFault.exe 19->40         started        59 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->59 dropped 43 conhost.exe 26->43         started        45 timeout.exe 1 26->45         started        83 127.0.0.1 unknown unknown 28->83 61 C:\Users\user\AppData\...\Pictures.exe.log, ASCII 28->61 dropped 63 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 30->63 dropped 47 conhost.exe 32->47         started        49 timeout.exe 32->49         started        65 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 34->65 dropped 51 conhost.exe 36->51         started        53 timeout.exe 36->53         started        55 conhost.exe 38->55         started        57 3 other processes 38->57 file10 signatures11 process12 file13 67 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 40->67 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.193.7.228
unknown United States
22612 NAMECHEAP-NETUS false
104.24.126.89
unknown United States
13335 CLOUDFLARENETUS false
172.67.143.180
unknown United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
hastebin.com 172.67.143.180 true
smtp.privateemail.com 199.193.7.228 true
164.204.10.0.in-addr.arpa unknown unknown