Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756303
MD5:2479739c5d062ecb325147623241f007
SHA1:4394b6d2ca4ed82a5f2d70d10cd05cfa3b35ab2c
SHA256:728de9789af5f2ebc9ac2fac80fee25b186bc5b3acb960650934377f0c77726d
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Yara signature match
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Keylogger Generic
Uses Microsoft's Enhanced Cryptographic Provider
PE file contains executable resources (Code or Archives)

Classification

  • System is w10x64
  • file.exe (PID: 3548 cmdline: C:\Users\user\Desktop\file.exe MD5: 2479739C5D062ECB325147623241F007)
    • rundll32.exe (PID: 5248 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: file.exe PID: 3548JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: file.exeVirustotal: Detection: 38%Perma Link
    Source: file.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00878884 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00878884
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881940 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00881940
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087885C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,0_2_0087885C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008799FF CryptDestroyHash,0_2_008799FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087A511 CryptReleaseContext,0_2_0087A511
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884967 CryptReleaseContext,0_2_00884967
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883F6C CryptDestroyHash,0_2_00883F6C

    Compliance

    barindex
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe
    Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D450 FindFirstFileW,FindClose,0_2_0040D450
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004235B0 FindFirstFileW,FindClose,0_2_004235B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040CE84
    Source: file.exe, 00000000.00000002.258207764.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 3548, type: MEMORYSTR

    System Summary

    barindex
    Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008819400_2_00881940
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008972440_2_00897244
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00885B340_2_00885B34
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008770C40_2_008770C4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BA8DC0_2_006BA8DC
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008896220_2_00889622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088C79C0_2_0088C79C
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040ACB4 appears 34 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A3C0 appears 76 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A0C0 appears 300 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040AEFC appears 33 times
    Source: file.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
    Source: file.exeVirustotal: Detection: 38%
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027667C6 CreateToolhelp32Snapshot,Module32First,0_2_027667C6
    Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-21267
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,startJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dllJump to behavior
    Source: classification engineClassification label: mal60.evad.winEXE@4/5@0/0
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: file.exeStatic file information: File size 3776000 > 1048576
    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x386000
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe
    Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe

    Data Obfuscation

    barindex
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00422F40 push ecx; mov dword ptr [esp], ecx0_2_00422F44
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02767597 pushad ; iretd 0_2_02767598
    Source: Serpodtudpwhhta.dll.0.drStatic PE information: section name: .didata
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dllJump to dropped file
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085E760 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0085E760
    Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000042A6EB0 second address: 00000000042A778E instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-0Ch], edx 0x00000005 mov dword ptr [ebp-24h], 0000000Dh 0x0000000c mov eax, 00000001h 0x00000011 cmp eax, 00000000h 0x00000014 jnbe 00007F93209DD1A3h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 sub eax, dword ptr [ebp-04h] 0x0000001c cmp eax, dword ptr [ebp-24h] 0x0000001f jnl 00007F93209DD1AAh 0x00000021 inc dword ptr [ebp-14h] 0x00000024 jmp 00007F93209DD810h 0x00000029 mov eax, 00000000h 0x0000002e cmp eax, 00000000h 0x00000031 je 00007F93209DD1A3h 0x00000033 cmp dword ptr [ebp-14h], 02h 0x00000037 jng 00007F93209DD3DAh 0x0000003d rdtsc
    Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-21263
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D450 FindFirstFileW,FindClose,0_2_0040D450
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004235B0 FindFirstFileW,FindClose,0_2_004235B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040CE84
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027660A3 push dword ptr fs:[00000030h]0_2_027660A3
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087C50C InitializeSecurityDescriptor,InitializeAcl,CreateWellKnownSid,CreateWellKnownSid,AddAccessAllowedAce,SetSecurityDescriptorDacl,0_2_0087C50C
    Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0040D588
    Source: C:\Users\user\Desktop\file.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0040CA28
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: file.exe, 00000000.00000003.243980722.000000007F700000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.252501992.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000000.255187116.0000000003EC1000.00000020.00000001.01000000.00000004.sdmp, Serpodtudpwhhta.dll.0.drBinary or memory string: MSASCui.exe
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2
    Command and Scripting Interpreter
    Path Interception1
    Process Injection
    1
    Virtualization/Sandbox Evasion
    1
    Input Capture
    12
    Security Software Discovery
    Remote Services1
    Input Capture
    Exfiltration Over Other Network Medium2
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts11
    Native API
    Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Process Injection
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop Protocol1
    Archive Collected Data
    Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information
    Security Account Manager1
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
    Obfuscated Files or Information
    NTDS1
    Remote System Discovery
    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Rundll32
    LSA Secrets1
    File and Directory Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Software Packing
    Cached Domain Credentials112
    System Information Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.