Loading ...

Play interactive tourEdit tour

Analysis Report Pictures.bat

Overview

General Information

Sample Name:Pictures.bat (renamed file extension from bat to exe)
Analysis ID:329739
MD5:97df3062b2fda05a79936b955cff4351
SHA1:3b373ce09cad268b3ae86454f4ba23d70e59770f
SHA256:99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb
Tags:batHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Pictures.exe (PID: 1492 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 1380 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 616 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • Pictures.exe (PID: 6464 cmdline: C:\Users\user\Desktop\Pictures.exe MD5: 97DF3062B2FDA05A79936B955CFF4351)
      • WerFault.exe (PID: 5748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1840 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6804 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • Pictures.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 7116 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6488 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • Pictures.exe (PID: 5868 cmdline: C:\Users\user\Desktop\Pictures.exe MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • WerFault.exe (PID: 6772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1092 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • Pictures.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 4684 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5712 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • Pictures.exe (PID: 1572 cmdline: C:\Users\user\Desktop\Pictures.exe MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • WerFault.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • Pictures.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 6208 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6524 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • Pictures.exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 6012 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5932 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • Pictures.exe (PID: 6576 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x145cb7:$key: HawkEyeKeylogger
  • 0x147efb:$salt: 099u787978786
  • 0x1462f8:$string1: HawkEye_Keylogger
  • 0x14714b:$string1: HawkEye_Keylogger
  • 0x147e5b:$string1: HawkEye_Keylogger
  • 0x1466e1:$string2: holdermail.txt
  • 0x146701:$string2: holdermail.txt
  • 0x146623:$string3: wallet.dat
  • 0x14663b:$string3: wallet.dat
  • 0x146651:$string3: wallet.dat
  • 0x147a1f:$string4: Keylog Records
  • 0x147d37:$string4: Keylog Records
  • 0x147f53:$string5: do not script -->
  • 0x145c9f:$string6: \pidloc.txt
  • 0x145d2d:$string7: BSPLIT
  • 0x145d3d:$string7: BSPLIT
0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x146350:$hawkstr1: HawkEye Keylogger
        • 0x147191:$hawkstr1: HawkEye Keylogger
        • 0x1474c0:$hawkstr1: HawkEye Keylogger
        • 0x14761b:$hawkstr1: HawkEye Keylogger
        • 0x14777e:$hawkstr1: HawkEye Keylogger
        • 0x1479f7:$hawkstr1: HawkEye Keylogger
        • 0x145ede:$hawkstr2: Dear HawkEye Customers!
        • 0x147513:$hawkstr2: Dear HawkEye Customers!
        • 0x14766a:$hawkstr2: Dear HawkEye Customers!
        • 0x1477d1:$hawkstr2: Dear HawkEye Customers!
        • 0x145fff:$hawkstr3: HawkEye Logger Details:
        Click to see the 81 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        35.2.Pictures.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8f7:$key: HawkEyeKeylogger
        • 0x7db3b:$salt: 099u787978786
        • 0x7bf38:$string1: HawkEye_Keylogger
        • 0x7cd8b:$string1: HawkEye_Keylogger
        • 0x7da9b:$string1: HawkEye_Keylogger
        • 0x7c321:$string2: holdermail.txt
        • 0x7c341:$string2: holdermail.txt
        • 0x7c263:$string3: wallet.dat
        • 0x7c27b:$string3: wallet.dat
        • 0x7c291:$string3: wallet.dat
        • 0x7d65f:$string4: Keylog Records
        • 0x7d977:$string4: Keylog Records
        • 0x7db93:$string5: do not script -->
        • 0x7b8df:$string6: \pidloc.txt
        • 0x7b96d:$string7: BSPLIT
        • 0x7b97d:$string7: BSPLIT
        35.2.Pictures.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          35.2.Pictures.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            35.2.Pictures.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              35.2.Pictures.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf90:$hawkstr1: HawkEye Keylogger
              • 0x7cdd1:$hawkstr1: HawkEye Keylogger
              • 0x7d100:$hawkstr1: HawkEye Keylogger
              • 0x7d25b:$hawkstr1: HawkEye Keylogger
              • 0x7d3be:$hawkstr1: HawkEye Keylogger
              • 0x7d637:$hawkstr1: HawkEye Keylogger
              • 0x7bb1e:$hawkstr2: Dear HawkEye Customers!
              • 0x7d153:$hawkstr2: Dear HawkEye Customers!
              • 0x7d2aa:$hawkstr2: Dear HawkEye Customers!
              • 0x7d411:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc3f:$hawkstr3: HawkEye Logger Details:
              Click to see the 10 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Pictures.exe.6464.7.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeReversingLabs: Detection: 41%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Pictures.exeVirustotal: Detection: 30%Perma Link
              Source: Pictures.exeReversingLabs: Detection: 41%
              Source: 23.2.Pictures.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 23.2.Pictures.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 7.2.Pictures.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 7.2.Pictures.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 35.2.Pictures.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 35.2.Pictures.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_063126D9
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_0631326B
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_06312B99
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_06312835
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_07E52F4C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_07E53715
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_07E5362B
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_07E52C27
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then call 0584A6E8h7_2_07E52962
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_07E52962
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then call 0584A6E8h7_2_07E52878
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_07E52878
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]7_2_07FBFE8A

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: global trafficTCP traffic: 192.168.2.4:49777 -> 199.193.7.228:587
              Source: Joe Sandbox ViewIP Address: 199.193.7.228 199.193.7.228
              Source: Joe Sandbox ViewIP Address: 104.24.126.89 104.24.126.89
              Source: Joe Sandbox ViewIP Address: 172.67.143.180 172.67.143.180
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: global trafficTCP traffic: 192.168.2.4:49777 -> 199.193.7.228:587
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: hastebin.com
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: Pictures.exe, 00000007.00000002.826574153.0000000008074000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: WerFault.exe, 00000013.00000003.772377584.0000000003485000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.743322819.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: Pictures.exe, 00000007.00000002.813515212.0000000003300000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
              Source: Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://wI5CH./
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comF
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comopsz
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comx
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Pictures.exe, 00000007.00000003.695701608.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Pictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: Pictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html6
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Pictures.exe, 00000007.00000003.698812159.0000000006367000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Pictures.exe, 00000007.00000002.812029938.00000000018C7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comceom
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Pictures.exe, 00000007.00000003.688584334.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn//wS5IH..
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Pictures.exe, 00000007.00000003.688773365.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn=I
              Source: Pictures.exe, 00000007.00000003.688698853.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMIr4
              Source: Pictures.exe, 00000007.00000003.703414982.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krk5
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Pictures.exe, 00000007.00000003.690785551.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-u
              Source: Pictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com7
              Source: Pictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.coml
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krM
              Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
              Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krP
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krY5RI
              Source: Pictures.exe, 00000007.00000002.813738725.000000000333B000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Pictures.exe, 00000007.00000003.695329896.0000000006365000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000003.700552872.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Pictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deP
              Source: Pictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dee
              Source: Pictures.exe, 00000007.00000003.700382243.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deve
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Pictures.exe, 00000007.00000003.689287299.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com
              Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/yonozilace
              Source: Pictures.exe, 00000000.00000002.745005062.0000000002DA1000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860989789.000000000254D000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880538593.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
              Source: Yara matchFile source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063105B4 SetWindowsHookExA 0000000D,00000000,?,?7_2_063105B4
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\Pictures.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Pictures.exeJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D739 GetKeyState,GetKeyState,GetKeyState,7_2_0631D739
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D748 GetKeyState,GetKeyState,GetKeyState,7_2_0631D748

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Pictures.exe
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56528 NtWriteVirtualMemory,7_2_07E56528
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56534 NtSetContextThread,7_2_07E56534
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56510 NtUnmapViewOfSection,7_2_07E56510
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5D000 NtWriteVirtualMemory,7_2_07E5D000
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E565A0 NtSetContextThread,7_2_07E565A0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E565AC NtUnmapViewOfSection,7_2_07E565AC
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56588 NtWriteVirtualMemory,7_2_07E56588
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56594 NtSetContextThread,7_2_07E56594
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56570 NtUnmapViewOfSection,7_2_07E56570
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56540 NtSetContextThread,7_2_07E56540
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5654C NtUnmapViewOfSection,7_2_07E5654C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5E240 NtSetContextThread,7_2_07E5E240
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5C8A8 NtUnmapViewOfSection,7_2_07E5C8A8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_02BE30130_2_02BE3013
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_02BEEB680_2_02BEEB68
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_02BECF6C0_2_02BECF6C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0188B29C7_2_0188B29C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0188C3107_2_0188C310
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_018899D07_2_018899D0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0188DFD07_2_0188DFD0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063122B87_2_063122B8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_06312BA87_2_06312BA8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_06313BE87_2_06313BE8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063198C07_2_063198C0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D45B7_2_0631D45B
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063122A97_2_063122A9
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_06313BD77_2_06313BD7
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E51F687_2_07E51F68
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E544C07_2_07E544C0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E550207_2_07E55020
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBB4E07_2_07FBB4E0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBB1987_2_07FBB198
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FB00407_2_07FB0040
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBEEC87_2_07FBEEC8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBBDB07_2_07FBBDB0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FB72D67_2_07FB72D6
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FB00067_2_07FB0006
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_0115301118_2_01153011
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_0115EDBF18_2_0115EDBF
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_0115EDC018_2_0115EDC0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_0115CF6C18_2_0115CF6C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101B29C23_2_0101B29C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101C31023_2_0101C310
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101360E23_2_0101360E
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101DFD023_2_0101DFD0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 24_2_02B9301124_2_02B93011
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 24_2_02B9EB6824_2_02B9EB68
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 24_2_02B9CF6C24_2_02B9CF6C
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928
              Source: Pictures.exeStatic PE information: invalid certificate
              Source: Pictures.exe, 00000000.00000002.798932046.0000000007205000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.814200157.0000000007990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.789987083.0000000006010000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.791513854.0000000006100000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.791513854.0000000006100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.810074546.000000000163A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.807526784.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exeBinary or memory string: OriginalFilename vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.872305373.00000000041C2000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.881113039.0000000005720000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.889030911.0000000007080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.883627368.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.897918909.0000000007901000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.897748302.00000000077B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.895757719.0000000005E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Pictures.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory s