Loading ...

Play interactive tourEdit tour

Analysis Report Pictures.bat

Overview

General Information

Sample Name:Pictures.bat (renamed file extension from bat to exe)
Analysis ID:329739
MD5:97df3062b2fda05a79936b955cff4351
SHA1:3b373ce09cad268b3ae86454f4ba23d70e59770f
SHA256:99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb
Tags:batHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Pictures.exe (PID: 1492 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 1380 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 616 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • Pictures.exe (PID: 6464 cmdline: C:\Users\user\Desktop\Pictures.exe MD5: 97DF3062B2FDA05A79936B955CFF4351)
      • WerFault.exe (PID: 5748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1840 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6804 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • Pictures.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 7116 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6488 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • Pictures.exe (PID: 5868 cmdline: C:\Users\user\Desktop\Pictures.exe MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • WerFault.exe (PID: 6772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1092 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • Pictures.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 4684 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5712 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • Pictures.exe (PID: 1572 cmdline: C:\Users\user\Desktop\Pictures.exe MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • WerFault.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • Pictures.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 6208 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6524 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • Pictures.exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
    • cmd.exe (PID: 6012 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 4.769 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5932 cmdline: timeout 4.769 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • Pictures.exe (PID: 6576 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe' MD5: 97DF3062B2FDA05A79936B955CFF4351)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x145cb7:$key: HawkEyeKeylogger
  • 0x147efb:$salt: 099u787978786
  • 0x1462f8:$string1: HawkEye_Keylogger
  • 0x14714b:$string1: HawkEye_Keylogger
  • 0x147e5b:$string1: HawkEye_Keylogger
  • 0x1466e1:$string2: holdermail.txt
  • 0x146701:$string2: holdermail.txt
  • 0x146623:$string3: wallet.dat
  • 0x14663b:$string3: wallet.dat
  • 0x146651:$string3: wallet.dat
  • 0x147a1f:$string4: Keylog Records
  • 0x147d37:$string4: Keylog Records
  • 0x147f53:$string5: do not script -->
  • 0x145c9f:$string6: \pidloc.txt
  • 0x145d2d:$string7: BSPLIT
  • 0x145d3d:$string7: BSPLIT
0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x146350:$hawkstr1: HawkEye Keylogger
        • 0x147191:$hawkstr1: HawkEye Keylogger
        • 0x1474c0:$hawkstr1: HawkEye Keylogger
        • 0x14761b:$hawkstr1: HawkEye Keylogger
        • 0x14777e:$hawkstr1: HawkEye Keylogger
        • 0x1479f7:$hawkstr1: HawkEye Keylogger
        • 0x145ede:$hawkstr2: Dear HawkEye Customers!
        • 0x147513:$hawkstr2: Dear HawkEye Customers!
        • 0x14766a:$hawkstr2: Dear HawkEye Customers!
        • 0x1477d1:$hawkstr2: Dear HawkEye Customers!
        • 0x145fff:$hawkstr3: HawkEye Logger Details:
        Click to see the 81 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        35.2.Pictures.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8f7:$key: HawkEyeKeylogger
        • 0x7db3b:$salt: 099u787978786
        • 0x7bf38:$string1: HawkEye_Keylogger
        • 0x7cd8b:$string1: HawkEye_Keylogger
        • 0x7da9b:$string1: HawkEye_Keylogger
        • 0x7c321:$string2: holdermail.txt
        • 0x7c341:$string2: holdermail.txt
        • 0x7c263:$string3: wallet.dat
        • 0x7c27b:$string3: wallet.dat
        • 0x7c291:$string3: wallet.dat
        • 0x7d65f:$string4: Keylog Records
        • 0x7d977:$string4: Keylog Records
        • 0x7db93:$string5: do not script -->
        • 0x7b8df:$string6: \pidloc.txt
        • 0x7b96d:$string7: BSPLIT
        • 0x7b97d:$string7: BSPLIT
        35.2.Pictures.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          35.2.Pictures.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            35.2.Pictures.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              35.2.Pictures.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf90:$hawkstr1: HawkEye Keylogger
              • 0x7cdd1:$hawkstr1: HawkEye Keylogger
              • 0x7d100:$hawkstr1: HawkEye Keylogger
              • 0x7d25b:$hawkstr1: HawkEye Keylogger
              • 0x7d3be:$hawkstr1: HawkEye Keylogger
              • 0x7d637:$hawkstr1: HawkEye Keylogger
              • 0x7bb1e:$hawkstr2: Dear HawkEye Customers!
              • 0x7d153:$hawkstr2: Dear HawkEye Customers!
              • 0x7d2aa:$hawkstr2: Dear HawkEye Customers!
              • 0x7d411:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc3f:$hawkstr3: HawkEye Logger Details:
              Click to see the 10 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Pictures.exe.6464.7.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeReversingLabs: Detection: 41%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Pictures.exeVirustotal: Detection: 30%Perma Link
              Source: Pictures.exeReversingLabs: Detection: 41%
              Source: 23.2.Pictures.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 23.2.Pictures.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 7.2.Pictures.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 7.2.Pictures.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 35.2.Pictures.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 35.2.Pictures.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then call 0584A6E8h
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then call 0584A6E8h
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: global trafficTCP traffic: 192.168.2.4:49777 -> 199.193.7.228:587
              Source: Joe Sandbox ViewIP Address: 199.193.7.228 199.193.7.228
              Source: Joe Sandbox ViewIP Address: 104.24.126.89 104.24.126.89
              Source: Joe Sandbox ViewIP Address: 172.67.143.180 172.67.143.180
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: global trafficTCP traffic: 192.168.2.4:49777 -> 199.193.7.228:587
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: hastebin.com
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: Pictures.exe, 00000007.00000002.826574153.0000000008074000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: WerFault.exe, 00000013.00000003.772377584.0000000003485000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.743322819.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: Pictures.exe, 00000007.00000002.813515212.0000000003300000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
              Source: Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://wI5CH./
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comF
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comopsz
              Source: Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comx
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Pictures.exe, 00000007.00000003.695701608.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Pictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: Pictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html6
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Pictures.exe, 00000007.00000003.698812159.0000000006367000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Pictures.exe, 00000007.00000002.812029938.00000000018C7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comceom
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Pictures.exe, 00000007.00000003.688584334.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn//wS5IH..
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Pictures.exe, 00000007.00000003.688773365.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn=I
              Source: Pictures.exe, 00000007.00000003.688698853.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMIr4
              Source: Pictures.exe, 00000007.00000003.703414982.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krk5
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Pictures.exe, 00000007.00000003.690785551.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-u
              Source: Pictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com7
              Source: Pictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.coml
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krM
              Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
              Source: Pictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krP
              Source: Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krY5RI
              Source: Pictures.exe, 00000007.00000002.813738725.000000000333B000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Pictures.exe, 00000007.00000003.695329896.0000000006365000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000003.700552872.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Pictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deP
              Source: Pictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dee
              Source: Pictures.exe, 00000007.00000003.700382243.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deve
              Source: Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Pictures.exe, 00000007.00000003.689287299.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com
              Source: Pictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/yonozilace
              Source: Pictures.exe, 00000000.00000002.745005062.0000000002DA1000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860989789.000000000254D000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880538593.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.860839048.0000000002537000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880433581.0000000002D47000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.788207114.0000000003250000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
              Source: Yara matchFile source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063105B4 SetWindowsHookExA 0000000D,00000000,?,?
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\Pictures.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Pictures.exe
              Source: C:\Users\user\Desktop\Pictures.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D739 GetKeyState,GetKeyState,GetKeyState,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D748 GetKeyState,GetKeyState,GetKeyState,

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Pictures.exe
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56528 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56534 NtSetContextThread,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56510 NtUnmapViewOfSection,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5D000 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E565A0 NtSetContextThread,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E565AC NtUnmapViewOfSection,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56588 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56594 NtSetContextThread,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56570 NtUnmapViewOfSection,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E56540 NtSetContextThread,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5654C NtUnmapViewOfSection,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5E240 NtSetContextThread,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E5C8A8 NtUnmapViewOfSection,
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_02BE3013
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_02BEEB68
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_02BECF6C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0188B29C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0188C310
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_018899D0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0188DFD0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063122B8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_06312BA8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_06313BE8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063198C0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D45B
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063122A9
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_06313BD7
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E51F68
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E544C0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07E55020
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBB4E0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBB198
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FB0040
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBEEC8
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FBBDB0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FB72D6
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_07FB0006
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_01153011
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_0115EDBF
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_0115EDC0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 18_2_0115CF6C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101B29C
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101C310
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101360E
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 23_2_0101DFD0
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 24_2_02B93011
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 24_2_02B9EB68
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 24_2_02B9CF6C
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928
              Source: Pictures.exeStatic PE information: invalid certificate
              Source: Pictures.exe, 00000000.00000002.798932046.0000000007205000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.814200157.0000000007990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.789987083.0000000006010000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.791513854.0000000006100000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Pictures.exe
              Source: Pictures.exe, 00000000.00000002.791513854.0000000006100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.810074546.000000000163A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Pictures.exe
              Source: Pictures.exe, 00000007.00000002.807526784.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exeBinary or memory string: OriginalFilename vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.872305373.00000000041C2000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.881113039.0000000005720000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Pictures.exe
              Source: Pictures.exe, 0000000C.00000002.889030911.0000000007080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.883627368.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?QA\A\ F vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.897918909.0000000007901000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameebdd cae.exe2 vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.897748302.00000000077B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Pictures.exe
              Source: Pictures.exe, 00000012.00000002.895757719.0000000005E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Pictures.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: Pictures.exe, 00000000.00000002.743556641.0000000000F5A000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@49/21@10/5
              Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1492
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6988
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3984
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2558.tmpJump to behavior
              Source: Pictures.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Pictures.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: Pictures.exeVirustotal: Detection: 30%
              Source: Pictures.exeReversingLabs: Detection: 41%
              Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Users\user\Desktop\Pictures.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1840
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1092
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe 'C:\Users\user\Desktop\Pictures.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1652
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe'
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\Pictures.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Pictures.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: Pictures.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Pictures.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
              Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb" source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: j(P:oLC:\Windows\Microsoft.VisualBasic.pdb source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.690755625.000000000564C000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.724899960.0000000005208000.00000004.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbuntime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Pictures.exe, 00000007.00000002.828267747.000000000903B000.00000004.00000010.sdmp
              Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp
              Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.690633059.00000000037C5000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749777305.0000000005790000.00000004.00000040.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: dnsapi.pdb`5; source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749777305.0000000005790000.00000004.00000040.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: WLDP.pdbT5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: schannel.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbP source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp
              Source: Binary string: fwpuclnt.pdb65 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb@ source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
              Source: Binary string: dhcpcsvc6.pdbx5# source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdbH5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
              Source: Binary string: SnpEoVisualBasic.pdbd source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
              Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: symbols\dll\System.Runtime.Remoting.pdbD source: Pictures.exe, 00000007.00000002.828267747.000000000903B000.00000004.00000010.sdmp
              Source: Binary string: System.pdbO source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp
              Source: Binary string: WinTypes.pdb05 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: NapiNSP.pdb` source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wmswsock.pdb$5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
              Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Users\user\Desktop\Pictures.PDB source: Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.899072158.0000000008CA0000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdbl source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: pnrpnsp.pdbv source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.710589626.0000000003948000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.725513442.0000000003471000.00000004.00000001.sdmp
              Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ncryptsslp.pdb5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: \\Pictures.PDB source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
              Source: Binary string: comctl32.pdb0 source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wmswsock.pdbt source: WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: .pdb# source: Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: wbemsvc.pdbF source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: c.pdbis source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
              Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.710122529.000000000395E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb{ source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: .pdb#( source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb0 source: Pictures.exe, 00000007.00000002.826574153.0000000008074000.00000004.00000001.sdmp
              Source: Binary string: msvcp_win.pdbh source: WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: fastprox.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: winrnr.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Pictures.exe, 00000000.00000002.743556641.0000000000F5A000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ntasn1.pdbZ5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: indows.Forms.pdb&&% source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
              Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp, Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.899072158.0000000008CA0000.00000004.00000001.sdmp
              Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
              Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.710589626.0000000003948000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb_ source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: schannel.pdbl57 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb! source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: anagement.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000A.00000003.710359815.0000000005A6D000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdbbP source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbtF source: Pictures.exe, 00000012.00000002.899072158.0000000008CA0000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
              Source: Binary string: (P:oLC:\Windows\Microsoft.VisualBasic.pdb source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb)dW source: Pictures.exe, 0000000C.00000002.892580198.0000000009590000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ility.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ml.pdbe source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.726534804.0000000003477000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb~ source: WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749777305.0000000005790000.00000004.00000040.sdmp
              Source: Binary string: ility.pdbn source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ws2_32.pdbf5= source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: Pictures.PDB source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp, Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb_?)u source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
              Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: DWrite.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdb source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: wbemprox.pdbx source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: C:\Users\user\Desktop\Pictures.PDB source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp, Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
              Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: secur32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: ntmarta.pdb~5% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: rawing.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: (P:o0C:\Windows\mscorlib.pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
              Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
              Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdbB5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp
              Source: Binary string: (P:oPC:\Windows\System.Runtime.Remoting.pdb source: Pictures.exe, 00000007.00000002.828267747.000000000903B000.00000004.00000010.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb*) source: Pictures.exe, 00000000.00000002.743748427.0000000000F97000.00000004.00000020.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: npEoVisualBasic.pdb source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: edputil.pdb: source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wmiutils.pdbR source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749187523.000000000579D000.00000004.00000040.sdmp
              Source: Binary string: hC:\Users\user\Desktop\Pictures.PDB source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
              Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: cldapi.pdb*5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: DWrite.pdbj source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.690633059.00000000037C5000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.724606099.0000000003465000.00000004.00000001.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: ;c.pdbisA source: Pictures.exe, 00000000.00000002.740898251.0000000000CF9000.00000004.00000010.sdmp
              Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdbA source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp
              Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Users\user\Desktop\Pictures.PDBG source: Pictures.exe, 00000000.00000002.743687225.0000000000F7F000.00000004.00000020.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: Pictures.exe, 00000007.00000002.826574153.0000000008074000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: msctf.pdb< source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: System.pdb source: WerFault.exe, 0000000A.00000003.710043381.0000000005A6B000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: ore.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.710571774.0000000003940000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb<5 source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.710013538.0000000005A51000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.709972718.0000000003942000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.726534804.0000000003477000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000A.00000002.738229070.0000000005CB0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: S.pdb# source: Pictures.exe, 0000000C.00000002.855507495.0000000000539000.00000004.00000010.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000A.00000003.710208454.0000000005A52000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.710601790.000000000394B000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749305781.0000000005797000.00000004.00000040.sdmp
              Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp
              Source: Binary string: npEoVisualBasic.pdbd source: Pictures.exe, 00000012.00000002.876736200.0000000000B39000.00000004.00000010.sdmp
              Source: Binary string: .pdb source: Pictures.exe, 00000007.00000002.828076389.0000000008DBA000.00000004.00000010.sdmp
              Source: Binary string: comctl32.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: edputil.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.749368081.00000000057A4000.00000004.00000040.sdmp
              Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.709925184.000000000394E000.00000004.00000040.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0188E672 push esp; ret
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D4A7 push es; ret
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631B4D0 push es; iretd
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D4D3 push es; ret
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D4C3 push es; ret
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D4CB push es; ret
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D58B push es; ret
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_0631D5D7 push ebx; iretd
              Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeJump to dropped file

              Boot Survival:

              barindex
              Creates an undocumented autostart registry key Show sources
              Source: C:\Users\user\Desktop\Pictures.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shellJump to behavior
              Creates autostart registry keys with suspicious namesShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
              Creates multiple autostart registry keysShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
              Drops PE files to the startup folderShow sources
              Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeJump to dropped file
              Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exeJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exeJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
              Source: C:\Users\user\Desktop\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Users\user\Desktop\Pictures.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 300000
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 180000
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Pictures.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Pictures.exeWindow / User API: threadDelayed 1370
              Source: C:\Users\user\Desktop\Pictures.exeWindow / User API: threadDelayed 3374
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6812Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 244Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 616Thread sleep time: -140000s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6052Thread sleep time: -300000s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 4936Thread sleep time: -180000s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -100000s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99875s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99766s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99641s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99532s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99391s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99282s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99141s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -99032s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98891s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98782s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98641s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98516s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98391s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98282s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98141s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -98032s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -97891s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -97782s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -97641s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -97532s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6488Thread sleep time: -97391s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 6184Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 1280Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 1644Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\Pictures.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
              Source: C:\Users\user\Desktop\Pictures.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Pictures.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
              Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Pictures.exeBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
              Source: Pictures.exeBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: Pictures.exeBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Pictures.exe, 00000012.00000002.883627368.0000000003D11000.00000004.00000001.sdmpBinary or memory string: SC:\WINDOWS\system32\drivers\VBoxMouse.sysESOFTWARE\VMware, Inc.\VMware Tools
              Source: Pictures.exeBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: WerFault.exe, 00000013.00000002.800025757.0000000005168000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
              Source: Pictures.exe, 00000012.00000002.883627368.0000000003D11000.00000004.00000001.sdmpBinary or memory string: KC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: WerFault.exe, 0000000A.00000002.732906162.00000000037D0000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000003.772628036.0000000003453000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: Pictures.exeBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Pictures.exe, 00000007.00000002.811503008.0000000001664000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
              Source: Pictures.exe, 00000000.00000002.743556641.0000000000F5A000.00000004.00000020.sdmp, WerFault.exe, 0000000A.00000003.725877666.00000000037D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: WerFault.exe, 0000000A.00000002.737474846.0000000005B40000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.800263521.0000000005380000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Pictures.exeProcess information queried: ProcessInformation

              Anti Debugging:

              barindex
              Hides threads from debuggersShow sources
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\Pictures.exeCode function: 7_2_063145B0 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\Pictures.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Pictures.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Pictures.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Pictures.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Pictures.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Pictures.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Pictures.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 7.2.Pictures.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 7.2.Pictures.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 23.2.Pictures.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 23.2.Pictures.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Pictures.exeMemory written: C:\Users\user\Desktop\Pictures.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Pictures.exeMemory written: unknown base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Pictures.exeMemory written: unknown base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Pictures.exeMemory written: C:\Users\user\Desktop\Pictures.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Pictures.exeMemory written: C:\Users\user\Desktop\Pictures.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Pictures.exeMemory written: unknown base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Users\user\Desktop\Pictures.exe C:\Users\user\Desktop\Pictures.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 4.769
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Pictures.exeProcess created: unknown unknown
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4.769
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Users\user\Desktop\Pictures.exe VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Pictures.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\Desktop\Pictures.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\Pictures.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
              Source: Yara matchFile source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Yara detected MailPassViewShow sources
              Source: Yara matchFile source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
              Source: Yara matchFile source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Yara detected WebBrowserPassView password recovery toolShow sources
              Source: Yara matchFile source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
              Source: Yara matchFile source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected HawkEye RatShow sources
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: Pictures.exe, 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmpString found in binary or memory: k&HawkEye_Keylogger_Execution_Confirmed_
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
              Source: Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmpString found in binary or memory: k"HawkEye_Keylogger_Stealer_Records_
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
              Source: WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6464, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 3984, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 1492, type: MEMORY
              Source: Yara matchFile source: 35.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Pictures.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Replication Through Removable Media1Windows Management Instrumentation21Startup Items1Startup Items1Disable or Modify Tools1Input Capture311Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API1DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture311Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Registry Run Keys / Startup Folder421Process Injection111Obfuscated Files or Information21Security Account ManagerSystem Information Discovery23SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder421Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery251SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion16VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol12Jamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion16Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection111/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 329739 Sample: Pictures.bat Startdate: 13/12/2020 Architecture: WINDOWS Score: 100 73 164.204.10.0.in-addr.arpa 2->73 75 smtp.privateemail.com 2->75 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 11 other signatures 2->95 8 Pictures.exe 18 5 2->8         started        13 Pictures.exe 3 2->13         started        15 Pictures.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 85 hastebin.com 172.67.143.180, 443, 49749, 49775 CLOUDFLARENETUS United States 8->85 69 C:\Users\user\AppData\...\Pictures.exe, PE32 8->69 dropped 71 C:\Users\...\Pictures.exe:Zone.Identifier, ASCII 8->71 dropped 103 Creates an undocumented autostart registry key 8->103 105 Drops PE files to the startup folder 8->105 107 Contains functionality to register a low level keyboard hook 8->107 19 Pictures.exe 4 8->19         started        23 WerFault.exe 23 9 8->23         started        26 cmd.exe 1 8->26         started        87 104.24.126.89, 443, 49755, 49757 CLOUDFLARENETUS United States 13->87 109 Hides threads from debuggers 13->109 111 Injects a PE file into a foreign processes 13->111 28 Pictures.exe 13->28         started        30 WerFault.exe 13->30         started        32 cmd.exe 13->32         started        34 WerFault.exe 15->34         started        36 2 other processes 15->36 113 Creates autostart registry keys with suspicious names 17->113 115 Creates multiple autostart registry keys 17->115 38 2 other processes 17->38 file6 signatures7 process8 dnsIp9 77 164.204.10.0.in-addr.arpa 19->77 79 smtp.privateemail.com 199.193.7.228, 49777, 49793, 587 NAMECHEAP-NETUS United States 19->79 81 192.168.2.1 unknown unknown 19->81 97 Changes the view of files in windows explorer (hidden files and folders) 19->97 99 Installs a global keyboard hook 19->99 101 Injects a PE file into a foreign processes 19->101 40 WerFault.exe 19->40         started        59 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->59 dropped 43 conhost.exe 26->43         started        45 timeout.exe 1 26->45         started        83 127.0.0.1 unknown unknown 28->83 61 C:\Users\user\AppData\...\Pictures.exe.log, ASCII 28->61 dropped 63 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 30->63 dropped 47 conhost.exe 32->47         started        49 timeout.exe 32->49         started        65 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 34->65 dropped 51 conhost.exe 36->51         started        53 timeout.exe 36->53         started        55 conhost.exe 38->55         started        57 3 other processes 38->57 file10 signatures11 process12 file13 67 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 40->67 dropped

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Pictures.exe30%VirustotalBrowse
              Pictures.exe16%MetadefenderBrowse
              Pictures.exe41%ReversingLabsByteCode-MSIL.Trojan.Woreflint

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe16%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe41%ReversingLabsByteCode-MSIL.Trojan.Woreflint

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              23.2.Pictures.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              23.2.Pictures.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              7.2.Pictures.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              7.2.Pictures.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
              35.2.Pictures.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
              35.2.Pictures.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

              Domains

              SourceDetectionScannerLabelLink
              164.204.10.0.in-addr.arpa0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn=I0%Avira URL Cloudsafe
              http://www.fontbureau.comceom0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.carterandcone.com60%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sandoll.co.krY5RI0%Avira URL Cloudsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.carterandcone.comF0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnMIr40%Avira URL Cloudsafe
              http://www.sandoll.co.krP0%Avira URL Cloudsafe
              http://www.sakkal.coml0%Avira URL Cloudsafe
              http://www.sandoll.co.krM0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.founder.com.cn/cn//wS5IH..0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://www.urwpp.deP0%Avira URL Cloudsafe
              http://www.urwpp.deve0%Avira URL Cloudsafe
              http://www.goodfont.co.krk50%Avira URL Cloudsafe
              http://www.sandoll.co.krN.TTF0%Avira URL Cloudsafe
              http://www.sakkal.com70%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.sakkal.com-u0%Avira URL Cloudsafe
              http://wI5CH./0%Avira URL Cloudsafe
              http://crl.micro0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              http://www.carterandcone.comx0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.zhongyicts.com.cno.0%URL Reputationsafe
              http://www.zhongyicts.com.cno.0%URL Reputationsafe
              http://www.zhongyicts.com.cno.0%URL Reputationsafe
              http://www.urwpp.dee0%Avira URL Cloudsafe
              http://www.carterandcone.comopsz0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              hastebin.com
              172.67.143.180
              truefalse
                high
                smtp.privateemail.com
                199.193.7.228
                truefalse
                  high
                  164.204.10.0.in-addr.arpa
                  unknown
                  unknowntrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.founder.com.cn/cn=IPictures.exe, 00000007.00000003.688773365.000000000636E000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                    high
                    https://hastebin.comPictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                          high
                          http://www.fontbureau.comceomPictures.exe, 00000007.00000002.812029938.00000000018C7000.00000004.00000040.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.founder.com.cn/cn/bThePictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://ocsp.sectigo.com0Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com/designers/cabarga.html6Pictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmpfalse
                              high
                              http://www.fontbureau.com/designers?Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                high
                                http://www.tiro.comPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.com6Pictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designersPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.goodfont.co.krPictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sajatypeworks.comPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sandoll.co.krY5RIPictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.typography.netDPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.founder.com.cn/cn/cThePictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://fontfabrik.comPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.carterandcone.comFPictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                            high
                                            https://hastebin.com/raw/yonozilacePictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.founder.com.cn/cnMIr4Pictures.exe, 00000007.00000003.688698853.000000000636E000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.sandoll.co.krPPictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.sakkal.comlPictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://whatismyipaddress.com/-Pictures.exe, 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Pictures.exe, 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.sandoll.co.krMPictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.galapagosdesign.com/DPleasePictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fonts.comPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.sandoll.co.krPictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.site.com/logs.phpPictures.exe, 00000007.00000002.813738725.000000000333B000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.urwpp.deDPleasePictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.nirsoft.net/Pictures.exe, 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.urwpp.dePictures.exe, 00000007.00000003.695329896.0000000006365000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000003.700552872.0000000006368000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.zhongyicts.com.cnPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePictures.exe, 00000000.00000002.744682493.0000000002D51000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmp, Pictures.exe, 0000000C.00000002.860590575.0000000002501000.00000004.00000001.sdmp, Pictures.exe, 00000012.00000002.880252420.0000000002D11000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.743322819.0000000005BA0000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.sakkal.comPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cn//wS5IH..Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.apache.org/licenses/LICENSE-2.0Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.fontbureau.comPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.galapagosdesign.com/Pictures.exe, 00000007.00000003.703414982.0000000006368000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://sectigo.com/CPS0Pictures.exe, 00000007.00000002.826255301.0000000008016000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.urwpp.dePPictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://www.urwpp.devePictures.exe, 00000007.00000003.700382243.0000000006368000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.goodfont.co.krk5Pictures.exe, 00000007.00000003.688216115.000000000636E000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.sandoll.co.krN.TTFPictures.exe, 00000007.00000003.688148286.000000000636E000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.sakkal.com7Pictures.exe, 00000007.00000003.690845267.0000000006365000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      http://smtp.privateemail.comPictures.exe, 00000007.00000002.813515212.0000000003300000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        http://www.carterandcone.comlPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.fontbureau.com/designers/cabarga.htmlNPictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                                          high
                                                                          http://www.founder.com.cn/cnPictures.exe, 00000007.00000003.688584334.0000000006365000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.fontbureau.com/designers/frere-user.htmlPictures.exe, 00000007.00000003.698812159.0000000006367000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                                            high
                                                                            http://www.sakkal.com-uPictures.exe, 00000007.00000003.690785551.0000000006365000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://wI5CH./Pictures.exe, 00000007.00000003.688626211.000000000636E000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://crl.microWerFault.exe, 00000013.00000003.772377584.0000000003485000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://www.fontbureau.com/designers/cabarga.htmlPictures.exe, 00000007.00000003.699262389.0000000006368000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              http://www.carterandcone.comxPictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              http://www.jiyu-kobo.co.jp/Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.zhongyicts.com.cno.Pictures.exe, 00000007.00000003.689287299.0000000006368000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.fontbureau.com/designers8Pictures.exe, 00000007.00000002.823160870.00000000064B0000.00000002.00000001.sdmpfalse
                                                                                high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000A.00000003.706265727.0000000005CF0000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  http://www.fontbureau.com/designers/Pictures.exe, 00000007.00000003.695701608.0000000006365000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    http://www.urwpp.deePictures.exe, 00000007.00000003.693500062.0000000006365000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    unknown
                                                                                    http://www.carterandcone.comopszPictures.exe, 00000007.00000003.690314858.0000000006365000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    unknown

                                                                                    Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    199.193.7.228
                                                                                    unknownUnited States
                                                                                    22612NAMECHEAP-NETUSfalse
                                                                                    104.24.126.89
                                                                                    unknownUnited States
                                                                                    13335CLOUDFLARENETUSfalse
                                                                                    172.67.143.180
                                                                                    unknownUnited States
                                                                                    13335CLOUDFLARENETUSfalse

                                                                                    Private

                                                                                    IP
                                                                                    192.168.2.1
                                                                                    127.0.0.1

                                                                                    General Information

                                                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                                                    Analysis ID:329739
                                                                                    Start date:13.12.2020
                                                                                    Start time:09:00:18
                                                                                    Joe Sandbox Product:CloudBasic
                                                                                    Overall analysis duration:0h 16m 52s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:light
                                                                                    Sample file name:Pictures.bat (renamed file extension from bat to exe)
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                    Number of analysed new started processes analysed:40
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • HDC enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.adwa.spyw.evad.winEXE@49/21@10/5
                                                                                    EGA Information:Failed
                                                                                    HDC Information:
                                                                                    • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                                                    • Quality average: 31.7%
                                                                                    • Quality standard deviation: 29.3%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    • Number of executed functions: 0
                                                                                    • Number of non-executed functions: 0
                                                                                    Cookbook Comments:
                                                                                    • Adjust boot time
                                                                                    • Enable AMSI
                                                                                    Warnings:
                                                                                    Show All
                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
                                                                                    • TCP Packets have been reduced to 100
                                                                                    • Excluded IPs from analysis (whitelisted): 40.88.32.150, 168.61.161.212, 51.11.168.160, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 52.255.188.83, 104.43.193.48, 93.184.220.29
                                                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, crl3.digicert.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                                                    • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size exceeded maximum capacity and may have missing network information.
                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    09:01:23AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\Pictures.exe
                                                                                    09:01:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe C:\Users\user\Desktop\Pictures.exe
                                                                                    09:01:39API Interceptor28x Sleep call for process: Pictures.exe modified
                                                                                    09:01:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\Pictures.exe
                                                                                    09:01:44API Interceptor4x Sleep call for process: WerFault.exe modified
                                                                                    09:01:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Pictures.exe C:\Users\user\Desktop\Pictures.exe
                                                                                    09:01:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    199.193.7.2287iZX0KCH4C.exeGet hashmaliciousBrowse
                                                                                      Al-Hbb_Doc-EUR_Pdf.exeGet hashmaliciousBrowse
                                                                                        SIWFT refTRF08463473 20201611.exeGet hashmaliciousBrowse
                                                                                          Pictures_Designs_images_Dragram on.exeGet hashmaliciousBrowse
                                                                                            pictures of me and factory haw on.exeGet hashmaliciousBrowse
                                                                                              #U6807#U51c6#U7684#U6837#U672c#U683c#U5f0f #U66f4#U65b0.xlsx.exeGet hashmaliciousBrowse
                                                                                                PROFOMA INVOICE LPO-682768286830.exeGet hashmaliciousBrowse
                                                                                                  payment issue.docxGet hashmaliciousBrowse
                                                                                                    32IY5Rn02W.exeGet hashmaliciousBrowse
                                                                                                      I6Sk8JcGLp.exeGet hashmaliciousBrowse
                                                                                                        vm13rtE9ua.exeGet hashmaliciousBrowse
                                                                                                          Urgent (0998 R1) ST PO1805140.exeGet hashmaliciousBrowse
                                                                                                            T21 Orders - Quotation 309-Ref-284.exeGet hashmaliciousBrowse
                                                                                                              G6pOfA1Ly3.exeGet hashmaliciousBrowse
                                                                                                                tQAb4zwepD.rtfGet hashmaliciousBrowse
                                                                                                                  e05JLHdiva.exeGet hashmaliciousBrowse
                                                                                                                    swift transfer copy 639082020.exeGet hashmaliciousBrowse
                                                                                                                      dWSU.exeGet hashmaliciousBrowse
                                                                                                                        NBUSpRGwKqFfAcoxptdwkgXyGpxRqE.exeGet hashmaliciousBrowse
                                                                                                                          company certificate.exeGet hashmaliciousBrowse
                                                                                                                            104.24.126.89http://freexyg.imghpoers.pw/north-east-dairies.htmlGet hashmaliciousBrowse
                                                                                                                            • freexyg.imghpoers.pw/favicon.ico
                                                                                                                            172.67.143.180ORDER #0622.exeGet hashmaliciousBrowse
                                                                                                                              01_extracted.exeGet hashmaliciousBrowse
                                                                                                                                02_extracted.exeGet hashmaliciousBrowse
                                                                                                                                  PO122020.exeGet hashmaliciousBrowse
                                                                                                                                    SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.5064.exeGet hashmaliciousBrowse
                                                                                                                                      Le8z5e90IO.exeGet hashmaliciousBrowse
                                                                                                                                        vHWqKRYpan.exeGet hashmaliciousBrowse
                                                                                                                                          8cXVAdvZhh.exeGet hashmaliciousBrowse
                                                                                                                                            ENS004.xlsGet hashmaliciousBrowse
                                                                                                                                              LA99293P02.xlsGet hashmaliciousBrowse
                                                                                                                                                IN.986434.exeGet hashmaliciousBrowse
                                                                                                                                                  ORDER # 00246XF.exeGet hashmaliciousBrowse
                                                                                                                                                    DHL CUSTOMER FORM.jpg.exeGet hashmaliciousBrowse
                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoader35.57660.10998.exeGet hashmaliciousBrowse
                                                                                                                                                        SC Inquiry.exeGet hashmaliciousBrowse
                                                                                                                                                          Dec purchase order.xlsxGet hashmaliciousBrowse
                                                                                                                                                            SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.4020.exeGet hashmaliciousBrowse
                                                                                                                                                              Documento de transferencia de Scotiabank7497574730084doc.exeGet hashmaliciousBrowse
                                                                                                                                                                Document N0-BR1702Q667420_12.exeGet hashmaliciousBrowse
                                                                                                                                                                  Bank paymentcopy001#pdf.exeGet hashmaliciousBrowse

                                                                                                                                                                    Domains

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                    hastebin.comORDER #0622.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    01_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.127.89
                                                                                                                                                                    02_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.127.89
                                                                                                                                                                    payment document.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    PO122020.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    #PO-NX--LI-2-12-20.jpg.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    GkNa5RLWZn.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.127.89
                                                                                                                                                                    archivierter Katalog.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.127.89
                                                                                                                                                                    New Order document.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.127.89
                                                                                                                                                                    SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.5064.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    O8Ii8MW7rn.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    Le8z5e90IO.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    vHWqKRYpan.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.127.89
                                                                                                                                                                    8cXVAdvZhh.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    ENS004.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    LA99293P02.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    Invoices.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    ENS003.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.127.89
                                                                                                                                                                    xDDWr9lEuo.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    IN.986434.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    smtp.privateemail.com7iZX0KCH4C.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    Purchase Order.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    Al-Hbb_Doc-EUR_Pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    SIWFT refTRF08463473 20201611.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    Pictures_Designs_images_Dragram on.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    pictures of me and factory haw on.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    #U6807#U51c6#U7684#U6837#U672c#U683c#U5f0f #U66f4#U65b0.xlsx.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    PROFOMA INVOICE LPO-682768286830.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    payment issue.docxGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    32IY5Rn02W.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    I6Sk8JcGLp.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    vm13rtE9ua.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    Urgent (0998 R1) ST PO1805140.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    T21 Orders - Quotation 309-Ref-284.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    G6pOfA1Ly3.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    tQAb4zwepD.rtfGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    e05JLHdiva.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    swift transfer copy 639082020.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    xtKCPPNMhz.rtfGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228
                                                                                                                                                                    SecuriteInfo.com.BackDoor.SpyBotNET.25.23177.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 199.193.7.228

                                                                                                                                                                    ASN

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                    NAMECHEAP-NETUShttps://u920579.ct.sendgrid.net/ls/click?upn=Cq4RbLQjlFZUayowJ9tEN6gixmb7UKhyXAXCvMsmbICjFD5DhJprkszpFOyNbgNmq7-2Bq9gyOkpQCauiiQYtKUuzuhRkDdVY3iYQlbf85PPIex1qg1iCLXLRCmn62egy7Kd2WI-2FZe6QjrykO-2BkxUIwg-3D-3Da0Ze_tSu-2BgbrFGsICLGVaAGPqAvBa4uzmGUZNhZ55boO3KRTzNu4GGZepxUqpMzDNq41wULstJA35t6JtnVf2vFtHlmz2-2B31tSDfiBobK3sk93ifRCie1NHPaL2KnBxyzl2a1K3xUYPE-2FZxt6LXV-2FOq7Qf7BGwhC5mooDbh2JB86GzKa1gkvDcq2SJ7XHDp7jJpNK-2FgzsQi2DReRUeTh8TNbzxPb03EO0c0GUBrVxC04FuSc-3DGet hashmaliciousBrowse
                                                                                                                                                                    • 104.219.248.102
                                                                                                                                                                    https://t.yesware.com/tt/ae9851ab7b578dad1289f08bbf450624f7ae3a45/2ee42987f58d2f32bb36ff11a00dd921/2f4e7e35c28c3b7f4958904f5584a915/joom.ag/2VFCGet hashmaliciousBrowse
                                                                                                                                                                    • 192.64.118.140
                                                                                                                                                                    https://firebasestorage.googleapis.com/v0/b/suga-23109.appspot.com/o/owa%2Findex2isq.html?alt=media&token=37a2b62e-b1f7-4e6b-90a6-c624a30a6a95#centralbilling@opisnet.comGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.120.22
                                                                                                                                                                    http://amar.alwani.xalia-outlet.com/exr/amar.alwani@centrica.comGet hashmaliciousBrowse
                                                                                                                                                                    • 199.188.206.8
                                                                                                                                                                    D00974974-xls.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.117.211
                                                                                                                                                                    #Ud83d#Udcdevmshares_msgs.htmGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.115.249
                                                                                                                                                                    zISJXAAewo.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.117.218
                                                                                                                                                                    http://amar.alwani.xalia-outlet.com/exr/amar.alwani@centrica.comGet hashmaliciousBrowse
                                                                                                                                                                    • 199.188.206.8
                                                                                                                                                                    CLxJeVvzMA.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.117.216
                                                                                                                                                                    Companyprofile_Order_384658353.xlsxGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.117.211
                                                                                                                                                                    reciept.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 68.65.122.159
                                                                                                                                                                    https://activingo.org/sanitaryequipmentGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.116.237
                                                                                                                                                                    Statement_9505_of_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                                                    • 198.187.29.233
                                                                                                                                                                    PURCHASE ORDER-SNDK521036.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 162.0.232.137
                                                                                                                                                                    MSC printouts of outstanding as of 73221_12_09_2020.xlsmGet hashmaliciousBrowse
                                                                                                                                                                    • 198.187.31.225
                                                                                                                                                                    anthony.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 63.250.41.49
                                                                                                                                                                    https://voicenotes.eternalallureco.com/screen.php?New_tWfgGGT____soppdYTW_____opUtyDheGWWeQiWJDD___fhfhKLHJSfCxsD=justyna.parzych@ocs.com&fCCjdhRWyryCCSXW____fjfhDFHHFhsh=SFI7SW1wLiAjOTQ5NTMgUHJvZC5wZGY=Get hashmaliciousBrowse
                                                                                                                                                                    • 162.0.239.153
                                                                                                                                                                    tDuLlLosre.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 192.64.119.113
                                                                                                                                                                    uqAU5Vneod.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.117.210
                                                                                                                                                                    tDuLlLosre.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 198.54.117.212
                                                                                                                                                                    CLOUDFLARENETUSORDER #0622.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    MOT_507465.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.8.238
                                                                                                                                                                    PO_01312.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 104.22.0.232
                                                                                                                                                                    Z7G2lyR0tT.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                    Confirmation transfer Ref No-MT103-003567865300.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.23.98.190
                                                                                                                                                                    01_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    02_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    oxygen.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.27.159.152
                                                                                                                                                                    http://url7046.davenportaviation.com/ls/click?upn=Pqmk-2BR5UYiYrLs3LOQb6eX8-2FwMNRh93DHwpY5jegAMonakc5abwzYkjZwuJJIdpTUfwxS3-2FAx2Gg6cNlydrr3lSyhbQTpfJekghaGpBvYb34VwHegANFETS-2FFd170CzXgnUntkFmes-2BUYVWS7isVSQ-2BbQcyOyt4f-2Bdn-2BlFnZ-2Bqc-3DTWzB_2IBYBvCQdAsKAURptGS99dQMFBKrK1wN4XnxMdJ0cXIh9nYwGT3Xwu-2BJ4yf9Ega2-2Fb4aBZPIv-2F3Uh6pUJMakz0TzeZTX0xl7pOsgfOO7FI6CvgBpGnBWoUQlNzcwTa1LKYuValVrvKiMxY1ZNZHP-2BwhweO-2FZEg0fuZ6oQdKpkhXMgoW3oLYapFkguRBnE85xKgVHSn2GJnx3Lso6MZ9nDxeiqulUm-2FFAzZN-2BDV7xlDk-3DGet hashmaliciousBrowse
                                                                                                                                                                    • 104.16.19.94
                                                                                                                                                                    vrptY10F5d.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.203.151
                                                                                                                                                                    https://nelleinletapt.buzz/CD/office365.htmGet hashmaliciousBrowse
                                                                                                                                                                    • 104.31.89.138
                                                                                                                                                                    Your File Is Ready To Download_817649.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.73.185
                                                                                                                                                                    https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fin0038847990.sn.am%2flfCk7ZE6GWq&c=E,1,XbwqZlmKwFAf_trFhDdV9wkuU6vutPEIQqN4IhE8jUbxLD3wnPPXDvKp8Jibjk9HngPAI5iRQWnG4vU_DQMKfMGkzgCqkZ-4BfRprMNSl9Nr7VoPQEtWNft5&typo=1Get hashmaliciousBrowse
                                                                                                                                                                    • 104.16.19.94
                                                                                                                                                                    Your File Is Ready To Download_817649.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.31.89.28
                                                                                                                                                                    http://kikicustomwigs.com/inefficient.phpGet hashmaliciousBrowse
                                                                                                                                                                    • 104.20.185.68
                                                                                                                                                                    https://t.yesware.com/tt/ae9851ab7b578dad1289f08bbf450624f7ae3a45/2ee42987f58d2f32bb36ff11a00dd921/2f4e7e35c28c3b7f4958904f5584a915/joom.ag/2VFCGet hashmaliciousBrowse
                                                                                                                                                                    • 104.18.12.5
                                                                                                                                                                    https://evenfair.com/Doc.htmGet hashmaliciousBrowse
                                                                                                                                                                    • 104.20.21.239
                                                                                                                                                                    https://timcoulson.com/mailer-daemon/?mail=james.dean@ahtd.ar.govGet hashmaliciousBrowse
                                                                                                                                                                    • 104.16.123.175
                                                                                                                                                                    https://quip.com/bsalAnQMfvNmGet hashmaliciousBrowse
                                                                                                                                                                    • 104.20.185.68
                                                                                                                                                                    http://url7046.davenportaviation.com/ls/click?upn=Pqmk-2BR5UYiYrLs3LOQb6eX8-2FwMNRh93DHwpY5jegAMoDOwszjVyyAYaDT-2FHLoDdyO6UKIM2nszToDBLH-2F-2BNBrM6YQWQ3fPgFgPdQQKS7kqDF4HAaq-2Fr6xARUzkvrAsaEOKHpwbrn6MO6h-2FVQHqp3WyMFrzO-2FMB03yvlq5NFbbAuXPdxXXNisWAoifgesDs3QJMZE_MTQeFU9OGQYuK17CNM-2FHMO1to19MQZsIfTzkvxZNPLbcqMHTFg465yb8XLd5b0rgockrJEbP9S-2BmH6yrcb6D2Cedv8q0zDKvCKHjkGBdm0VSLiKWxvNJFHYTC9Iu2wUuCoFD26NSM7oM4H1iIEuKaivLf23AP7umZUdZ2jjs6dVp5S47XHieCaV16dvBQPvHZmuEMRH0w6XX1JETA-2BLpCr8JmDoRvBBZSGH-2FQaexfGo-3DGet hashmaliciousBrowse
                                                                                                                                                                    • 104.16.18.94
                                                                                                                                                                    CLOUDFLARENETUSORDER #0622.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    MOT_507465.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.8.238
                                                                                                                                                                    PO_01312.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 104.22.0.232
                                                                                                                                                                    Z7G2lyR0tT.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 162.159.130.233
                                                                                                                                                                    Confirmation transfer Ref No-MT103-003567865300.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.23.98.190
                                                                                                                                                                    01_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    02_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    oxygen.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.27.159.152
                                                                                                                                                                    http://url7046.davenportaviation.com/ls/click?upn=Pqmk-2BR5UYiYrLs3LOQb6eX8-2FwMNRh93DHwpY5jegAMonakc5abwzYkjZwuJJIdpTUfwxS3-2FAx2Gg6cNlydrr3lSyhbQTpfJekghaGpBvYb34VwHegANFETS-2FFd170CzXgnUntkFmes-2BUYVWS7isVSQ-2BbQcyOyt4f-2Bdn-2BlFnZ-2Bqc-3DTWzB_2IBYBvCQdAsKAURptGS99dQMFBKrK1wN4XnxMdJ0cXIh9nYwGT3Xwu-2BJ4yf9Ega2-2Fb4aBZPIv-2F3Uh6pUJMakz0TzeZTX0xl7pOsgfOO7FI6CvgBpGnBWoUQlNzcwTa1LKYuValVrvKiMxY1ZNZHP-2BwhweO-2FZEg0fuZ6oQdKpkhXMgoW3oLYapFkguRBnE85xKgVHSn2GJnx3Lso6MZ9nDxeiqulUm-2FFAzZN-2BDV7xlDk-3DGet hashmaliciousBrowse
                                                                                                                                                                    • 104.16.19.94
                                                                                                                                                                    vrptY10F5d.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.203.151
                                                                                                                                                                    https://nelleinletapt.buzz/CD/office365.htmGet hashmaliciousBrowse
                                                                                                                                                                    • 104.31.89.138
                                                                                                                                                                    Your File Is Ready To Download_817649.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.73.185
                                                                                                                                                                    https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fin0038847990.sn.am%2flfCk7ZE6GWq&c=E,1,XbwqZlmKwFAf_trFhDdV9wkuU6vutPEIQqN4IhE8jUbxLD3wnPPXDvKp8Jibjk9HngPAI5iRQWnG4vU_DQMKfMGkzgCqkZ-4BfRprMNSl9Nr7VoPQEtWNft5&typo=1Get hashmaliciousBrowse
                                                                                                                                                                    • 104.16.19.94
                                                                                                                                                                    Your File Is Ready To Download_817649.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 104.31.89.28
                                                                                                                                                                    http://kikicustomwigs.com/inefficient.phpGet hashmaliciousBrowse
                                                                                                                                                                    • 104.20.185.68
                                                                                                                                                                    https://t.yesware.com/tt/ae9851ab7b578dad1289f08bbf450624f7ae3a45/2ee42987f58d2f32bb36ff11a00dd921/2f4e7e35c28c3b7f4958904f5584a915/joom.ag/2VFCGet hashmaliciousBrowse
                                                                                                                                                                    • 104.18.12.5
                                                                                                                                                                    https://evenfair.com/Doc.htmGet hashmaliciousBrowse
                                                                                                                                                                    • 104.20.21.239
                                                                                                                                                                    https://timcoulson.com/mailer-daemon/?mail=james.dean@ahtd.ar.govGet hashmaliciousBrowse
                                                                                                                                                                    • 104.16.123.175
                                                                                                                                                                    https://quip.com/bsalAnQMfvNmGet hashmaliciousBrowse
                                                                                                                                                                    • 104.20.185.68
                                                                                                                                                                    http://url7046.davenportaviation.com/ls/click?upn=Pqmk-2BR5UYiYrLs3LOQb6eX8-2FwMNRh93DHwpY5jegAMoDOwszjVyyAYaDT-2FHLoDdyO6UKIM2nszToDBLH-2F-2BNBrM6YQWQ3fPgFgPdQQKS7kqDF4HAaq-2Fr6xARUzkvrAsaEOKHpwbrn6MO6h-2FVQHqp3WyMFrzO-2FMB03yvlq5NFbbAuXPdxXXNisWAoifgesDs3QJMZE_MTQeFU9OGQYuK17CNM-2FHMO1to19MQZsIfTzkvxZNPLbcqMHTFg465yb8XLd5b0rgockrJEbP9S-2BmH6yrcb6D2Cedv8q0zDKvCKHjkGBdm0VSLiKWxvNJFHYTC9Iu2wUuCoFD26NSM7oM4H1iIEuKaivLf23AP7umZUdZ2jjs6dVp5S47XHieCaV16dvBQPvHZmuEMRH0w6XX1JETA-2BLpCr8JmDoRvBBZSGH-2FQaexfGo-3DGet hashmaliciousBrowse
                                                                                                                                                                    • 104.16.18.94

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                    54328bd36c14bd82ddaa0c04b25ed9adORDER #0622.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    Confirmation transfer Ref No-MT103-003567865300.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    01_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    02_extracted.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    payment document.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    Zorka-Keramika Order.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    6GLK5.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    PO122020.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    #PO-NX--LI-2-12-20.jpg.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    https://tinyurl.com/yyvbwpxkGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    Eh80gQF5vU.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    UNAUTHORIZED SWAP.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    New Order document.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    secnc.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    nocryt.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    inter.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    SecuriteInfo.com.Exploit.Siggen3.5122.15519.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    6AzBNcJ7GS.docmGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.5064.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89
                                                                                                                                                                    file.xlsGet hashmaliciousBrowse
                                                                                                                                                                    • 172.67.143.180
                                                                                                                                                                    • 104.24.126.89

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Pictures.exe_8de45086902aa2ba8efa51809173eaf73c535_065d0aef_132ed53a\Report.wer
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16862
                                                                                                                                                                    Entropy (8bit):3.758598470756162
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:KC+mHBUZMXSaPcenu8Nqt/u7swS274ItIJ:pPBUZMXSaZ7A/u7swX4ItIJ
                                                                                                                                                                    MD5:DE792DA42617B5CED570EDF810CF25B0
                                                                                                                                                                    SHA1:F58161A03FFF393FB2C1F74DA6D321BB82FF70BA
                                                                                                                                                                    SHA-256:1670138F0529C121DDAAFE72769B0A345130CA975FBC9437815E66DA2861DDF1
                                                                                                                                                                    SHA-512:3ED5719EE8ACE6F3F6D42DFD031FD8C84D5372F1EC78112506D223A320E92DA4E85594E7DB489F76E82A4000712533D22D804FD3E96B03294827688F4E55234B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.2.3.2.0.1.3.6.4.7.3.6.6.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.2.3.2.0.1.6.7.1.1.4.1.8.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.9.6.2.0.b.8.-.0.d.8.4.-.4.3.e.9.-.a.d.0.0.-.d.6.2.7.b.5.c.a.c.8.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.0.1.d.5.3.7.-.9.8.3.2.-.4.b.4.6.-.b.d.6.6.-.f.d.0.1.4.b.b.4.0.8.4.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.i.c.t.u.r.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.9.0.-.0.0.0.1.-.0.0.1.b.-.2.c.c.c.-.3.f.3.0.2.6.d.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.c.2.5.c.d.e.6.6.4.5.7.7.b.8.5.8.a.3.5.2.f.3.8.6.c.c.3.a.c.5.1.0.0.0.0.f.f.f.f.!.0.0.0.0.3.b.3.7.3.c.e.0.9.c.a.d.2.6.8.b.3.a.e.8.6.4.5.4.f.4.b.a.2.3.d.7.0.e.5.9.7.7.0.f.!.P.i.c.t.u.r.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Pictures.exe_8de45086902aa2ba8efa51809173eaf73c535_065d0aef_1a1a2321\Report.wer
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16864
                                                                                                                                                                    Entropy (8bit):3.7593514119223754
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:AJJgg7kOmHBUZMXSaPcenu8Nqt/u7swS274ItIS:E7A/BUZMXSaZ7A/u7swX4ItIS
                                                                                                                                                                    MD5:106E93C4ECD9BDF6B7A28300B6960DFA
                                                                                                                                                                    SHA1:D2AF39A0F320481E440B322FA9389F4AA75A40AE
                                                                                                                                                                    SHA-256:BAD2F590F612CD7C9892E087D49370828E696A3EBB01721B4268F8AEAAF5B20D
                                                                                                                                                                    SHA-512:776DBC67597C08EC2A25A9390E1CE92B1A918BCE659005ADA3C0135A00760C00BE2196B73E591C04AA7CF052D091376C7D71E81BCD62C1D4233C5BF9183766F6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.2.3.2.0.1.1.5.1.1.4.3.5.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.2.3.2.0.1.5.1.1.6.1.1.0.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.0.4.9.a.7.7.-.5.6.e.0.-.4.7.a.4.-.9.f.3.d.-.5.1.2.0.f.9.5.9.f.1.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.7.f.c.f.b.9.-.6.c.3.0.-.4.2.5.1.-.b.9.0.7.-.f.4.6.8.3.6.5.c.d.4.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.i.c.t.u.r.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.4.c.-.0.0.0.1.-.0.0.1.b.-.d.1.b.b.-.5.b.2.b.2.6.d.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.c.2.5.c.d.e.6.6.4.5.7.7.b.8.5.8.a.3.5.2.f.3.8.6.c.c.3.a.c.5.1.0.0.0.0.f.f.f.f.!.0.0.0.0.3.b.3.7.3.c.e.0.9.c.a.d.2.6.8.b.3.a.e.8.6.4.5.4.f.4.b.a.2.3.d.7.0.e.5.9.7.7.0.f.!.P.i.c.t.u.r.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Pictures.exe_8de45086902aa2ba8efa51809173eaf73c535_065d0aef_1af963d8\Report.wer
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):17060
                                                                                                                                                                    Entropy (8bit):3.7575296258793593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:6/Q3mHBUZMXSaKsUAip36A/u7sLS274ItI2:KQOBUZMXSalit/u7sLX4ItI2
                                                                                                                                                                    MD5:E00BB640DCF08EB94F53FB84D80B2475
                                                                                                                                                                    SHA1:D457FF16FF927F94F1C9985C95F61616399C01FA
                                                                                                                                                                    SHA-256:CF0CCC6932EB0EE1454BD7FEDF40FF4D8FDE30F3EB4705B36E6ABA1A8A26D2CA
                                                                                                                                                                    SHA-512:69E8FED4762FB5F09644594DD57C618EFA9349E67B2B28D326CA5D9FAEA666795A8367AB8A8EC31D13DDFF3006DB59E3979B5595D5F54348835A713C9404A936
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.2.3.2.0.0.8.8.0.9.8.8.2.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.2.3.2.0.1.0.2.5.9.8.7.6.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.2.1.4.e.f.9.-.4.8.2.1.-.4.5.2.c.-.a.9.9.7.-.3.1.a.3.d.1.9.4.e.c.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.6.e.6.0.9.8.-.d.b.a.a.-.4.f.2.e.-.9.7.8.d.-.c.5.5.9.4.3.c.3.0.a.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.i.c.t.u.r.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.d.4.-.0.0.0.1.-.0.0.1.b.-.d.f.4.f.-.c.b.1.f.2.6.d.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.c.2.5.c.d.e.6.6.4.5.7.7.b.8.5.8.a.3.5.2.f.3.8.6.c.c.3.a.c.5.1.0.0.0.0.f.f.f.f.!.0.0.0.0.3.b.3.7.3.c.e.0.9.c.a.d.2.6.8.b.3.a.e.8.6.4.5.4.f.4.b.a.2.3.d.7.0.e.5.9.7.7.0.f.!.P.i.c.t.u.r.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Pictures.exe_c3cdff3dc5b833acfdddbc409e2196a711873b15_d8cb31ed_1619b505\Report.wer
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16366
                                                                                                                                                                    Entropy (8bit):3.7578941116600286
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:gWurVHBUZMXSaPXUlXK8zIUGyG/u7sLS274ItI5Xl:zuJBUZMXSasVG/u7sLX4ItI51
                                                                                                                                                                    MD5:CBB3FCBBFA1AEB30C25E805AAF9D1C95
                                                                                                                                                                    SHA1:A33AB9833EBF6761BB6013109D9396309767FBB5
                                                                                                                                                                    SHA-256:0E24AA1162C7AD9FC20F95DFA5970031D830BC0C79A02244A96E352065DC7D7D
                                                                                                                                                                    SHA-512:1737D32753F9CA57A85D8AD4DF78811852DF40F321F9C5D4677313D87BD196D1EDB5389CB33A9AB1E73880047F8BDC216D85A361E3F65D8629762E6C6EFD29D4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.2.3.2.0.1.0.4.9.2.6.8.8.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.2.3.2.0.1.2.2.9.7.3.7.0.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.4.a.c.f.0.4.-.4.d.6.7.-.4.3.7.c.-.b.8.f.c.-.2.1.6.7.0.9.8.a.4.3.e.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.e.2.5.4.c.e.-.f.a.4.d.-.4.7.e.9.-.a.d.f.8.-.9.0.6.4.8.2.7.7.4.b.e.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.i.c.t.u.r.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.b.-.e.c.c.2.-.0.1.2.6.2.6.d.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.c.2.5.c.d.e.6.6.4.5.7.7.b.8.5.8.a.3.5.2.f.3.8.6.c.c.3.a.c.5.1.0.0.0.0.f.f.f.f.!.0.0.0.0.3.b.3.7.3.c.e.0.9.c.a.d.2.6.8.b.3.a.e.8.6.4.5.4.f.4.b.a.2.3.d.7.0.e.5.9.7.7.0.f.!.P.i.c.t.u.r.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2558.tmp.dmp
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Dec 13 08:01:35 2020, 0x1205a4 type
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):328688
                                                                                                                                                                    Entropy (8bit):3.6198580288230544
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:UU70g2yHjd+pymQZs9gIOgF5g5HY0rXkuyRUCgUj9bC9+5oyd8:j0BJpv9RpDg5HYlTj8M5T6
                                                                                                                                                                    MD5:C1AF10322B03C9F8A552BB28ECC13EBA
                                                                                                                                                                    SHA1:B1E18D8CA8A2361DC45FA1603680EBF23F7E0AEA
                                                                                                                                                                    SHA-256:541F2C2A060E8EEFE0E706CC93484CAEF467DF2F10BAD7A71F0DAA2776379176
                                                                                                                                                                    SHA-512:056633FC940CF31020A24BB0F0CFD0ED23C6CA71455A897E894B79B435406C379D7808DA1B3757887A79CA245654C14BC1972B9D3EA1EA0C19FB2C177CFB8C21
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: MDMP....... ......._.._...................U...........B......L0......GenuineIntelW...........T...........H.._.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER28CF.tmp.WERInternalMetadata.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):8400
                                                                                                                                                                    Entropy (8bit):3.693980759879209
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:Rrl7r3GLNiAp6Gh6YrUSU7zlEgmfZGS1+prx89b/Gsfi1m:RrlsNim6Gh6Y4SU7zlEgmfkSv/lf5
                                                                                                                                                                    MD5:CC590D48C5CCFF82C612DD4A30FDB619
                                                                                                                                                                    SHA1:CD062A7F98FAC1F901ED03552DAE4563ACD88321
                                                                                                                                                                    SHA-256:1CE2767EEFEB35F881F4A8A083E9F2FDF6ECF43C28B96B63C11C3E22A5314113
                                                                                                                                                                    SHA-512:266C8ED5E632A3004F1FB54ECDD6B920168D02F7A8F4EA9E35959824317D8A472FB9FA600E57FBD27D566620F85E89826F9B6E6DF4DBA5357D1CD4B9E61D2123
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.8.4.<./.P.i.d.>.......
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER313C.tmp.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4678
                                                                                                                                                                    Entropy (8bit):4.455788378170149
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:cvIwSD8zsRJgtWI9GijWSC8BtEf8fm8M4Jwg4FF66+q8ve4VD8mvkAd:uITfjYSSN77Jwm6K3D8mvkAd
                                                                                                                                                                    MD5:702332268A87B1C5FCCAC63C33BDEB52
                                                                                                                                                                    SHA1:FEFDAD318BFE3A66C26486899AF0165E59CE55D4
                                                                                                                                                                    SHA-256:9D1961E84D2434C0D5E698A2D8268F4C558DE8617B201AF13C59DA8EFC886296
                                                                                                                                                                    SHA-512:DB08853ADF9F80EAC6AA671B1A05CDF0DC9941F36B8E17944A4D81EEE9BE82609B60739187DC60FB7F66082DECB26ADE8EE7FC120AAB9B45ED079B322B2BBEC1
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="769993" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4499.tmp.WERInternalMetadata.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):8402
                                                                                                                                                                    Entropy (8bit):3.693007348357344
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:Rrl7r3GLNigM6FvQoiu6YrFSU2zfsOgmfZGS1+prh89bXYsfddm:RrlsNij6R6YJSU2zfsOgmfkSPXLfW
                                                                                                                                                                    MD5:97C927519055AE16BFA194BC91C770A2
                                                                                                                                                                    SHA1:E6DE1F6BCE5358F3C220A8DDC2B3150A10E19827
                                                                                                                                                                    SHA-256:AB03A854F269EC89C89C3CE6513FC8D6B10D745F93417F2D66BF49467E63628B
                                                                                                                                                                    SHA-512:1C4CBB6B219AAAA9DBE8388C0B099D98B3C2B198A2C815920782624C907D5F1483B21EDC95F2F11CB9AE3022A72EE39CF79B44C6395038034B892203FD4BBCC0
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.9.2.<./.P.i.d.>.......
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4853.tmp.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4678
                                                                                                                                                                    Entropy (8bit):4.453885994431024
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:cvIwSD8zsKJgtWI9GijWSC8Bs8fm8M4Jwg4FFV+q8ve4iD8mvkid:uITfYYSSNXJwJKYD8mvkid
                                                                                                                                                                    MD5:6587BF881C2BBC1539A0A73761FB09BF
                                                                                                                                                                    SHA1:8E275A66F04346C0B37DF82A1B4310E9E24BD127
                                                                                                                                                                    SHA-256:EE6CA846D2DC06F3DDE61784CD9734C4019CD4C25C01751BC37E8FA518C0A557
                                                                                                                                                                    SHA-512:AC58651647A9E03431A71A74F3E755D54280D8F8FFF3A851B7396E5A727CAE1D6E610250B1C7AA7659C8601201A0195400C572AA743125906F081EC4019D368E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="769992" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER66E5.tmp.dmp
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Sun Dec 13 08:01:53 2020, 0x1205a4 type
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):381235
                                                                                                                                                                    Entropy (8bit):3.726369952694676
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:Krc70C11jd+pcxQPItf8tXuTqeYE9gIOgF5Bs40pnUCgUr1YTEZoZkVUf5:Z0C1KpcxoId9RpDB5kTjtZke0
                                                                                                                                                                    MD5:DCAF4A763463093572CF3413F2DB0631
                                                                                                                                                                    SHA1:A19832FE081B35F97815CFFDA1F95896C8F88E5F
                                                                                                                                                                    SHA-256:D75A0EEEE5811A1E97DFDFAA729E57141489CF522C778BABB6D7C59B44AEF3A4
                                                                                                                                                                    SHA-512:9176F61480FF799FEF3BB8003BBC647D473A7BB5C7EAA34E07E8EBB3AD81BD8C88A715FF90BDFEE06CDD20F4644A074EE84933DADC1F8DA1FCDB1309BE0DACC9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: MDMP....... .......q.._...................U...........B.......+......GenuineIntelW...........T.......@...S.._.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C31.tmp.WERInternalMetadata.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):8390
                                                                                                                                                                    Entropy (8bit):3.692160405786034
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:Rrl7r3GLNiOW6X96YQA6I2gmfZNSS1+prC89bD8sf6hm:RrlsNiX6N6YP6hgmfTSSaDPfl
                                                                                                                                                                    MD5:F12D43E7375BD532C4160953F93680BB
                                                                                                                                                                    SHA1:C001EFAFE2B476EF477678376F657D8CBCE1D141
                                                                                                                                                                    SHA-256:92AE90B0A2F9D21F9CABF09AB7FC00B4EE9C8DF780A5DED4C7E2E33D8BB4311D
                                                                                                                                                                    SHA-512:ADB73A899122BF5542BADFB4982F030A3975C56379DD7A9B73811354A255C721A188F781E997273FBC17AC17BFECF8F2B54C41FFF2BCFA276B700058C3470B08
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.d.>.......
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EB1.tmp.dmp
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Dec 13 08:02:08 2020, 0x1205a4 type
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):319716
                                                                                                                                                                    Entropy (8bit):3.6635484587549323
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:3xOpn0q+3rMjd+pDYQLmVmXEKIPZ9gIOgF5Ux0fXtHu8tUCgUBxPVQSMHyou27T:30n0qA9pUQLAPZ9RpD0ktTjLVPkyjaT
                                                                                                                                                                    MD5:FD292877F5D1C6C40F173F046962F324
                                                                                                                                                                    SHA1:C48A58D1E97C95F47ABBF359349EDB5E65248CC6
                                                                                                                                                                    SHA-256:65964A546E09E061E6393A4DB1871CD162209D2F2F1BF4CA8C63E23CDC8B8742
                                                                                                                                                                    SHA-512:810164407F01F013273941A83FA575CD05C238AD6138B0E78F7B29D9C5AB70B4635751E52EE6093DBA2D3F4E1DDCCAE4EB08352F3E0A6EF63C8599FD06871AC1
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: MDMP....... .........._...................U...........B......D/......GenuineIntelW...........T.......L...\.._.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9143.tmp.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4662
                                                                                                                                                                    Entropy (8bit):4.450150440567069
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:cvIwSD8zsKJgtWI9GijWSC8BtJ8fm8M4JwIwFN+q8v6cLD8mvkyd:uITfYYSSN7uJwnKhD8mvkyd
                                                                                                                                                                    MD5:7E4D714F5FC07D4F82F0AAD6A5EDC59D
                                                                                                                                                                    SHA1:94819B569BB4D96B5394FB57A261AD69063734F4
                                                                                                                                                                    SHA-256:AAA058483D7780AB315361D87C1D3892F591E90D35E10F54A4D80F0F2E0EB120
                                                                                                                                                                    SHA-512:F5A7D2D505E07177064000BC625BF4079BA89D2BDF985B2F78563F3C4F5D8DF77A96DB346365AA224A09F164AA78D04B1B1E1D3786ED09735EC0278D2DBECBFD
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="769992" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERD37B.tmp.WERInternalMetadata.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):8400
                                                                                                                                                                    Entropy (8bit):3.6941514372776383
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:Rrl7r3GLNiJH6zG6YrbSUbzVugmfZGS1+prR89brFsftJk5m:RrlsNiJ6y6Y3SUbzVugmfkSfreftp
                                                                                                                                                                    MD5:0478538EFB2FE16D22BEFE4F0E81A643
                                                                                                                                                                    SHA1:8D70E3CE33BEB589559A91DE4B246EED25DAC4CE
                                                                                                                                                                    SHA-256:A32332DDD34E09FC7F8695271FC5A657971FA05C9C2D7C41A4A49EE45396AF91
                                                                                                                                                                    SHA-512:5378571C4D05C630A134A5483CDE1508BA15ADA9A429404494D61BE51E7423A7DDE212334D7BA070E139F55A648CCF50E5F2043DC21C41A54B00ECB29C0E87F6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.8.8.<./.P.i.d.>.......
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBAA.tmp.xml
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4678
                                                                                                                                                                    Entropy (8bit):4.457511622378531
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:cvIwSD8zsKJgtWI9GijWSC8BtU8fm8M4Jwg4FFyiP+q8ve4dtD8mvkYd:uITfYYSSN7ZJwBPKftD8mvkYd
                                                                                                                                                                    MD5:10B2CF41DEAE8A8351371EF0DB2D2648
                                                                                                                                                                    SHA1:538C64F46C1D74BA896C905A04EC7E82A1CA160E
                                                                                                                                                                    SHA-256:F9218ED3D67A057DF5FB56B675A9C7714E2834F21DAEEE9CF38DCADF54D482E2
                                                                                                                                                                    SHA-512:290195C62C9694F418F51DCEB5FD29A80B5F61ED836804363B88DD1BA04FF9F83C34C9A1B5E822B589993573F16424338F40BA284025376676F400DCC9EB6156
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="769992" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE24F.tmp.dmp
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Dec 13 08:02:32 2020, 0x1205a4 type
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):325888
                                                                                                                                                                    Entropy (8bit):3.6285567212926466
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:1SG80/q8jd+p8NXdWhXLbbGY9gIOgF5n80XXEuX8UCgUkNcEujRaBjok189aK:UB0up8jA2Y9RpDn8BTjkKjcBjxHK
                                                                                                                                                                    MD5:8E46E3CF56138D21CB385B9640E8B283
                                                                                                                                                                    SHA1:5CD89F01AE0863906382C7BDC0117BC4F5E85C55
                                                                                                                                                                    SHA-256:617E4F1CD17E9B245552AFF0DEC6EE25B30558B31A6EE84D2186AF92C46D03CF
                                                                                                                                                                    SHA-512:A77FE7FB51BB2AF51875D91338F82929810A26735233151E814CEF182E70F0D3CEF5D93A2F6607D94B6A71F54C0A54E9E189EF2E047C5A0C0E73AC29697AEF3B
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: MDMP....... .........._...................U...........B......t/......GenuineIntelW...........T...........d.._.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pictures.exe.log
                                                                                                                                                                    Process:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1314
                                                                                                                                                                    Entropy (8bit):5.350128552078965
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                                                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                                                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                                                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                                                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe
                                                                                                                                                                    Process:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):23560
                                                                                                                                                                    Entropy (8bit):6.2301111727309255
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:BHeKiySeg7HNUqYabYBTzlly6LjCOnjNBLUJfl5RxVtFIwJGuYetXnFNS6PDgf2C:BH9ihegDSqYabST5UsJLGflvx/FIwJGp
                                                                                                                                                                    MD5:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    SHA1:3B373CE09CAD268B3AE86454F4BA23D70E59770F
                                                                                                                                                                    SHA-256:99CC3ED45AB5F25CC7131DE81F5084D476B04AFA9DEF647A0A7D20F1BEB95ADB
                                                                                                                                                                    SHA-512:1674B36C55FF1A438627BD73C92C2BD8A88B00F8D3459C94132B541080235974670DC8532F4E0D786AC27DCD1822FE6521DE298AFC23E2B097A35966616496CD
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Metadefender, Detection: 16%, Browse
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 41%
                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K+._.................D...........b... ........@.. ...............................f....@..................................b..O....................H............................................................... ............... ..H............text....C... ...D.................. ..`.reloc...............F..............@..B.........................................................b......H........3...............................................................*.r...p......%.r...p.%.r...p.%.r...p.%.r!..p.(6...*.r...p......%.r...p.%.r...p.%.r...p.%.rY..p.(6...*.r...p......%.r...p.%.r...p.%.r...p.(6...**....(7...*..0..R.............r...p........(.....(....(....#.....@.@[#.......@X(........8....+...........*...0................r...p(.....s........+...........o....(....o.........o....rY..p(....(....o.........o.... ....o.........o.... ....o.........o.... ....o.....
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe:Zone.Identifier
                                                                                                                                                                    Process:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):26
                                                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                                    C:\Users\user\AppData\Roaming\pid.txt
                                                                                                                                                                    Process:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4
                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:3:3
                                                                                                                                                                    MD5:894A9B94BCC5969B60BD18E8EA9C0DDC
                                                                                                                                                                    SHA1:F04A8305CF42ECB7BD5B110ADAB57CE9F68AF30C
                                                                                                                                                                    SHA-256:7EE3819BF62F7E4563A2A9476DF6E18A6CD17CCEB30B92F00A24A6C8175E3740
                                                                                                                                                                    SHA-512:56088DA0021FBDB8F45EC54B65B929FF335DC38DE3532911125F7783D5FC04142DF54CAA595CBF666E74EE9CF414F8AE8811E4CA3C1AFB14DDE49B15F57CC565
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: 6464
                                                                                                                                                                    C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                                                                                    Process:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):35
                                                                                                                                                                    Entropy (8bit):3.9544425746945726
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:oNt+WfW1M3N:oNwvG3N
                                                                                                                                                                    MD5:07404D15FD6211796ACE5BB35AAA3EAB
                                                                                                                                                                    SHA1:22854F5FC0F005772FA41B8B3816E08468AD00C8
                                                                                                                                                                    SHA-256:E7F738FB66E5FEC38DC7DE9778750EA4AE2C33ECC12ABECD3F8A1D62D42C83FE
                                                                                                                                                                    SHA-512:6E0B802303646D08F9BCF327D1FB493C57FD83435E920DDD87136044E047484A8EBCEFBE88C018B539A1A876B754A461ADDDA8865B99BCF329CFCED2E294D7DE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: C:\Users\user\Desktop\Pictures.exe

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Entropy (8bit):6.2301111727309255
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                    File name:Pictures.exe
                                                                                                                                                                    File size:23560
                                                                                                                                                                    MD5:97df3062b2fda05a79936b955cff4351
                                                                                                                                                                    SHA1:3b373ce09cad268b3ae86454f4ba23d70e59770f
                                                                                                                                                                    SHA256:99cc3ed45ab5f25cc7131de81f5084d476b04afa9def647a0a7d20f1beb95adb
                                                                                                                                                                    SHA512:1674b36c55ff1a438627bd73c92c2bd8a88b00f8d3459c94132b541080235974670dc8532f4e0d786ac27dcd1822fe6521de298afc23e2b097a35966616496cd
                                                                                                                                                                    SSDEEP:384:BHeKiySeg7HNUqYabYBTzlly6LjCOnjNBLUJfl5RxVtFIwJGuYetXnFNS6PDgf2C:BH9ihegDSqYabST5UsJLGflvx/FIwJGp
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K+._.................D...........b... ........@.. ...............................f....@................................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x4062fe
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                    Time Stamp:0x5FD42B4B [Sat Dec 12 02:30:35 2020 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                    File Version Major:4
                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                    Signature Valid:false
                                                                                                                                                                    Signature Issuer:C=US, L=New York, OU=Edadebedfbfbdf, O=Bdcbfdcccbeecbabbacdedecdf, CN=Ceefaccdedbfbbaaaadacdbf
                                                                                                                                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                    Error Number:-2146762487
                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                    • 12/12/2020 3:30:35 AM 12/12/2021 3:30:35 AM
                                                                                                                                                                    Subject Chain
                                                                                                                                                                    • C=US, L=New York, OU=Edadebedfbfbdf, O=Bdcbfdcccbeecbabbacdedecdf, CN=Ceefaccdedbfbbaaaadacdbf
                                                                                                                                                                    Version:3
                                                                                                                                                                    Thumbprint MD5:DA559288943C5E541A1413DCD339D0D5
                                                                                                                                                                    Thumbprint SHA-1:9D5B6BC86775395992A25D21D696D05D634A89D1
                                                                                                                                                                    Thumbprint SHA-256:57738207D610994A6136D361387FDBB248EEC709FD3DCBA74EC8A330A9A56ED9
                                                                                                                                                                    Serial:00AEC009984FA957F3F48FE3104CA9BABC

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x62ac0x4f.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x48000x1408.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x20000x43040x4400False0.415096507353data5.84634593861IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0x80000xc0x200False0.041015625data0.0611628522412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 13, 2020 09:01:16.487791061 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.510068893 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.510797024 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.566931009 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.589230061 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.592657089 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.592685938 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.592804909 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.604289055 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.626605988 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.626746893 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.681402922 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.695121050 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.717421055 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924024105 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924063921 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924094915 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924114943 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924139977 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.924144030 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924171925 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924185038 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.924200058 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924237013 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924248934 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924263954 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924266100 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.924273968 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924289942 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924299955 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924314022 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924323082 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924338102 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924348116 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924361944 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924376011 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.924470901 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:16.924544096 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.010344028 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010400057 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010453939 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010488987 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010535002 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010562897 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010565042 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.010582924 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.010606050 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010657072 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010689974 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010726929 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.010735035 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.010740995 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010771990 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010803938 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010833025 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010867119 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.010870934 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010910988 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010950089 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.010994911 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011001110 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.011023998 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011054039 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011091948 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.011094093 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011096954 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.011132956 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011169910 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011215925 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011236906 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.011240959 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.011249065 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011286974 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011317015 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.011324883 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011363029 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011392117 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.011399031 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.011430979 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.013441086 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.056524992 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.094012976 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094034910 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094048023 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094055891 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094070911 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094086885 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094105005 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094125032 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094134092 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.094142914 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094161034 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094183922 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094197989 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094219923 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094237089 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094249964 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.094259024 CET49749443192.168.2.4172.67.143.180
                                                                                                                                                                    Dec 13, 2020 09:01:17.094261885 CET44349749172.67.143.180192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.094285965 CET44349749172.67.143.180192.168.2.4

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 13, 2020 09:01:07.117855072 CET5172653192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:07.144911051 CET53517268.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:07.780612946 CET5679453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:07.804809093 CET53567948.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:08.583662987 CET5653453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:08.619175911 CET53565348.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:09.278830051 CET5662753192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:09.315783024 CET53566278.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:10.104551077 CET5662153192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:10.137147903 CET53566218.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:12.246356010 CET6311653192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:12.273403883 CET53631168.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:13.063663006 CET6407853192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:13.099335909 CET53640788.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:13.982692957 CET6480153192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:14.006998062 CET53648018.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:14.875528097 CET6172153192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:14.899744987 CET53617218.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:15.870129108 CET5125553192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:15.894267082 CET53512558.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.433238029 CET6152253192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:16.465677023 CET53615228.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:16.781209946 CET5233753192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:16.805493116 CET53523378.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:17.429711103 CET5504653192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:17.453968048 CET53550468.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:34.059462070 CET4961253192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:34.083739042 CET53496128.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:38.094436884 CET4928553192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:38.130075932 CET53492858.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:39.192804098 CET5060153192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:39.227588892 CET53506018.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:43.690452099 CET6087553192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:43.723305941 CET53608758.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:50.819103956 CET5644853192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:50.851902008 CET53564488.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:55.112220049 CET5917253192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:55.146486044 CET53591728.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:01:58.418241978 CET6242053192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:01:58.442744970 CET53624208.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:04.271701097 CET6057953192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:04.296154976 CET53605798.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:09.147290945 CET5018353192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:09.214890003 CET53501838.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:09.634826899 CET6153153192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:09.685215950 CET53615318.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:10.038877010 CET4922853192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:10.074387074 CET53492288.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:10.445342064 CET5979453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:10.478070021 CET53597948.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:11.405864000 CET5591653192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:11.443872929 CET53559168.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:11.771887064 CET5275253192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:11.804393053 CET53527528.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:12.120671034 CET6054253192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:12.147738934 CET53605428.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:12.558737993 CET6068953192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:12.574285984 CET6420653192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:12.585782051 CET53606898.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:12.609813929 CET53642068.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:13.054713011 CET5090453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:13.090099096 CET53509048.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:13.354191065 CET5752553192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:13.387249947 CET53575258.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:14.419780016 CET5381453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:14.443931103 CET53538148.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:15.163750887 CET5341853192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:15.196762085 CET53534188.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:16.313414097 CET6283353192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:16.358726978 CET53628338.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:17.037868977 CET5926053192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:17.071844101 CET53592608.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:18.221879005 CET4994453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:18.257651091 CET53499448.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:30.878645897 CET6330053192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:30.902821064 CET53633008.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:32.494139910 CET6144953192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:32.518338919 CET53614498.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:37.862979889 CET5127553192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:37.896147966 CET53512758.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:39.831494093 CET6349253192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:39.866903067 CET53634928.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:44.319679976 CET5894553192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:44.344043970 CET53589458.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:48.099230051 CET6077953192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:48.123490095 CET53607798.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:52.501990080 CET6401453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:52.537776947 CET53640148.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:53.513276100 CET5709153192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:53.537516117 CET53570918.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:54.773585081 CET5590453192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:54.821656942 CET53559048.8.8.8192.168.2.4
                                                                                                                                                                    Dec 13, 2020 09:02:58.513851881 CET5210953192.168.2.48.8.8.8
                                                                                                                                                                    Dec 13, 2020 09:02:58.546385050 CET53521098.8.8.8192.168.2.4

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                    Dec 13, 2020 09:01:16.433238029 CET192.168.2.48.8.8.80xf901Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:38.094436884 CET192.168.2.48.8.8.80xe00aStandard query (0)164.204.10.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:39.192804098 CET192.168.2.48.8.8.80x7fe2Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:50.819103956 CET192.168.2.48.8.8.80xfb36Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:58.418241978 CET192.168.2.48.8.8.80xa51cStandard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:12.574285984 CET192.168.2.48.8.8.80x2f26Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:15.163750887 CET192.168.2.48.8.8.80x3fb8Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:17.037868977 CET192.168.2.48.8.8.80xaa21Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:39.831494093 CET192.168.2.48.8.8.80x328aStandard query (0)164.204.10.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:58.513851881 CET192.168.2.48.8.8.80x1cf8Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                    Dec 13, 2020 09:01:16.465677023 CET8.8.8.8192.168.2.40xf901No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:16.465677023 CET8.8.8.8192.168.2.40xf901No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:16.465677023 CET8.8.8.8192.168.2.40xf901No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:38.130075932 CET8.8.8.8192.168.2.40xe00aName error (3)164.204.10.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:39.227588892 CET8.8.8.8192.168.2.40x7fe2No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:39.227588892 CET8.8.8.8192.168.2.40x7fe2No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:39.227588892 CET8.8.8.8192.168.2.40x7fe2No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:50.851902008 CET8.8.8.8192.168.2.40xfb36No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:50.851902008 CET8.8.8.8192.168.2.40xfb36No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:50.851902008 CET8.8.8.8192.168.2.40xfb36No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:58.442744970 CET8.8.8.8192.168.2.40xa51cNo error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:58.442744970 CET8.8.8.8192.168.2.40xa51cNo error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:01:58.442744970 CET8.8.8.8192.168.2.40xa51cNo error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:12.609813929 CET8.8.8.8192.168.2.40x2f26No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:12.609813929 CET8.8.8.8192.168.2.40x2f26No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:12.609813929 CET8.8.8.8192.168.2.40x2f26No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:15.196762085 CET8.8.8.8192.168.2.40x3fb8No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:15.196762085 CET8.8.8.8192.168.2.40x3fb8No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:15.196762085 CET8.8.8.8192.168.2.40x3fb8No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:17.071844101 CET8.8.8.8192.168.2.40xaa21No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:39.866903067 CET8.8.8.8192.168.2.40x328aName error (3)164.204.10.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                                    Dec 13, 2020 09:02:58.546385050 CET8.8.8.8192.168.2.40x1cf8No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)

                                                                                                                                                                    HTTPS Packets

                                                                                                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                    Dec 13, 2020 09:01:16.592685938 CET172.67.143.180443192.168.2.449749CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Jul 25 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sun Jul 25 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                    CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                    Dec 13, 2020 09:01:39.361706018 CET104.24.126.89443192.168.2.449755CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Jul 25 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sun Jul 25 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                    CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                                                                                    Code Manipulations

                                                                                                                                                                    Statistics

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:12
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Users\user\Desktop\Pictures.exe'
                                                                                                                                                                    Imagebase:0x960000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.746517106.0000000003E88000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:13
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 4.769
                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:14
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:14
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:timeout 4.769
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:26112 bytes
                                                                                                                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:23
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Imagebase:0xef0000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.817381181.0000000004281000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.814621175.000000000351A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.807250814.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000007.00000002.812978942.0000000003281000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000002.814706345.000000000352A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:25
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928
                                                                                                                                                                    Imagebase:0x1150000
                                                                                                                                                                    File size:434592 bytes
                                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:32
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Users\user\Desktop\Pictures.exe'
                                                                                                                                                                    Imagebase:0x180000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000C.00000002.874949951.00000000043AC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000C.00000002.882295269.00000000061BC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:33
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 4.769
                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:34
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:34
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:timeout 4.769
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:26112 bytes
                                                                                                                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:40
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Users\user\Desktop\Pictures.exe'
                                                                                                                                                                    Imagebase:0x780000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000012.00000002.888849131.00000000041D6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:40
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1840
                                                                                                                                                                    Imagebase:0x1150000
                                                                                                                                                                    File size:434592 bytes
                                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000013.00000003.746755143.00000000058A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:42
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 4.769
                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:42
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:43
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:timeout 4.769
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:26112 bytes
                                                                                                                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:48
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Imagebase:0x8f0000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000017.00000002.780102732.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:49
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Users\user\Desktop\Pictures.exe'
                                                                                                                                                                    Imagebase:0x910000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000002.837966470.0000000003F76000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000018.00000002.841324147.00000000040A2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:51
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1092
                                                                                                                                                                    Imagebase:0x1150000
                                                                                                                                                                    File size:434592 bytes
                                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:51
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 4.769
                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:52
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:52
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:timeout 4.769
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:26112 bytes
                                                                                                                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:01:57
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Users\user\Desktop\Pictures.exe'
                                                                                                                                                                    Imagebase:0xde0000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001F.00000002.988442141.0000000004250000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:02:00
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 4.769
                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:02:00
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:02:01
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:timeout 4.769
                                                                                                                                                                    Imagebase:0x1190000
                                                                                                                                                                    File size:26112 bytes
                                                                                                                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:02:01
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\Pictures.exe
                                                                                                                                                                    Imagebase:0xd50000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000023.00000002.780175587.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:02:04
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1652
                                                                                                                                                                    Imagebase:0x1150000
                                                                                                                                                                    File size:434592 bytes
                                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET

                                                                                                                                                                    General

                                                                                                                                                                    Start time:09:02:06
                                                                                                                                                                    Start date:13/12/2020
                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pictures.exe'
                                                                                                                                                                    Imagebase:0x1e0000
                                                                                                                                                                    File size:23560 bytes
                                                                                                                                                                    MD5 hash:97DF3062B2FDA05A79936B955CFF4351
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.869677007.0000000003FC6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.866236197.000000000399A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                    • Detection: 16%, Metadefender, Browse
                                                                                                                                                                    • Detection: 41%, ReversingLabs

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Code Analysis

                                                                                                                                                                    Reset < >