Loading ...

Play interactive tourEdit tour

Analysis Report BV10013 (Rev A).scr

Overview

General Information

Sample Name:BV10013 (Rev A).scr (renamed file extension from scr to exe)
Analysis ID:253854
MD5:5ba833ae0b992d08486739f4dc0065dd
SHA1:3ee633de3f2b4445383efd7b7bb0d3d943b11904
SHA256:0b9431b196547553849eebdb7a4a6cb57fc6d7d9af2c61c1abfffbf83e337984

Most interesting Screenshot:

Detection

AveMaria GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Sleep loop found (likely to delay execution)
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Spawns drivers
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • BV10013 (Rev A).exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\BV10013 (Rev A).exe' MD5: 5BA833AE0B992D08486739F4DC0065DD)
    • BV10013 (Rev A).exe (PID: 1840 cmdline: 'C:\Users\user\Desktop\BV10013 (Rev A).exe' MD5: 5BA833AE0B992D08486739F4DC0065DD)
      • fipic.scr (PID: 3484 cmdline: 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr' /S MD5: 5BA833AE0B992D08486739F4DC0065DD)
        • fipic.scr (PID: 6284 cmdline: 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr' /S MD5: 5BA833AE0B992D08486739F4DC0065DD)
  • wscript.exe (PID: 5956 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • fipic.scr (PID: 6028 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr MD5: 5BA833AE0B992D08486739F4DC0065DD)
      • fipic.scr (PID: 6516 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr MD5: 5BA833AE0B992D08486739F4DC0065DD)
  • wscript.exe (PID: 1196 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • fipic.scr (PID: 6820 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr MD5: 5BA833AE0B992D08486739F4DC0065DD)
      • fipic.scr (PID: 2056 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr MD5: 5BA833AE0B992D08486739F4DC0065DD)
  • rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)
  • tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.301794612.0000000000A61000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
    00000009.00000003.428255927.0000000000A61000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000009.00000003.430117293.0000000000A61000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000009.00000003.432027123.0000000000A61000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          00000009.00000003.304104072.0000000000A61000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
            Click to see the 54 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Group Modification LoggingShow sources
            Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x1f05b, data 9: -
            Sigma detected: Local User CreationShow sources
            Source: Event LogsAuthor: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: BBmKEKa, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x1f05b, data 7: -, data 8: BBmKEKa, data 9: %%1793

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Yara detected AveMaria stealerShow sources
            Source: Yara matchFile source: 00000009.00000003.301794612.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428255927.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.430117293.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.432027123.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.304104072.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.303251817.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.513381797.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301154452.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428902057.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.307650873.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300709021.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.302613111.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.302320958.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300767989.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297352454.0000000000A66000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.429289885.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300539350.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.302406152.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.305728223.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.307954128.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297410786.0000000000A6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431728343.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431238596.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301987825.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300944088.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.308109787.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297396990.0000000000A6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301555809.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.430406593.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431945937.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.430637884.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.305321589.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301106718.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297417585.0000000000A63000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.429663288.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301050101.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428111422.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428791487.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300657260.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297379797.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431571472.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431499002.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.305482670.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428805624.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297327196.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 6284, type: MEMORY
            Source: global trafficTCP traffic: 192.168.2.3:49729 -> 216.170.119.24:5200
            Source: global trafficHTTP traffic detected: GET /oke_qrerqI1.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: seedwellresources.xyzCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /oke_qrerqI1.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: seedwellresources.xyzCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /oke_qrerqI1.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: seedwellresources.xyzCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: unknownTCP traffic detected without corresponding DNS query: 216.170.119.24
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006BA04E InternetReadFile,12_2_006BA04E
            Source: global trafficHTTP traffic detected: GET /oke_qrerqI1.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: seedwellresources.xyzCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /oke_qrerqI1.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: seedwellresources.xyzCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /oke_qrerqI1.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: seedwellresources.xyzCache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: seedwellresources.xyz
            Source: fipic.scr, 00000009.00000002.511502848.00000000006B0000.00000040.00000001.sdmp, fipic.scr, 0000000C.00000002.308409602.00000000006B0000.00000040.00000001.sdmp, fipic.scr, 00000014.00000002.335061989.00000000006B0000.00000040.00000001.sdmpString found in binary or memory: http://seedwellresources.xyz/oke_qrerqI1.bin
            Source: fipic.scr, 00000009.00000003.304882641.0000000000A9B000.00000004.00000001.sdmp, sqlmap.dll.9.drString found in binary or memory: http://stascorp.comDVarFileInfo$
            Source: fipic.scr, 00000009.00000003.301794612.0000000000A61000.00000004.00000001.sdmp, fipic.scr, 00000009.00000003.297352454.0000000000A66000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
            Source: fipic.scr, 00000009.00000003.301794612.0000000000A61000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected AveMaria stealerShow sources
            Source: Yara matchFile source: 00000009.00000003.301794612.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428255927.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.430117293.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.432027123.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.304104072.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.303251817.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.513381797.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301154452.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428902057.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.307650873.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300709021.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.302613111.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.302320958.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300767989.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297352454.0000000000A66000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.429289885.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300539350.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.302406152.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.305728223.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.307954128.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297410786.0000000000A6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431728343.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431238596.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301987825.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300944088.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.308109787.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297396990.0000000000A6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301555809.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.430406593.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431945937.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.430637884.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.305321589.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301106718.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297417585.0000000000A63000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.429663288.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.301050101.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428111422.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428791487.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.300657260.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297379797.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431571472.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.431499002.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.305482670.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.428805624.0000000000A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.297327196.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 6284, type: MEMORY
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02219A21 NtProtectVirtualMemory,0_2_02219A21
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02211863 NtSetInformationThread,TerminateProcess,0_2_02211863
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_022139F2 NtWriteVirtualMemory,0_2_022139F2
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02213A3D NtWriteVirtualMemory,0_2_02213A3D
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221A2F5 NtResumeThread,0_2_0221A2F5
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02219EFD NtResumeThread,0_2_02219EFD
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221A6D5 NtResumeThread,0_2_0221A6D5
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02213BF9 NtWriteVirtualMemory,0_2_02213BF9
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02214029 NtWriteVirtualMemory,0_2_02214029
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02216845 NtWriteVirtualMemory,0_2_02216845
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221A445 NtResumeThread,0_2_0221A445
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221A04E NtResumeThread,0_2_0221A04E
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221A856 NtResumeThread,0_2_0221A856
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_022138A5 NtWriteVirtualMemory,0_2_022138A5
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221248C NtWriteVirtualMemory,0_2_0221248C
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_022108ED NtSetInformationThread,TerminateProcess,0_2_022108ED
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221A587 NtResumeThread,0_2_0221A587
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0221A18A NtResumeThread,0_2_0221A18A
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02213DEE NtWriteVirtualMemory,0_2_02213DEE
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 2_2_006B1863 NtSetInformationThread,TerminateProcess,2_2_006B1863
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 2_2_006B9A21 NtProtectVirtualMemory,2_2_006B9A21
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 2_2_006B08ED NtSetInformationThread,TerminateProcess,2_2_006B08ED
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02149A21 NtProtectVirtualMemory,3_2_02149A21
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02141863 NtSetInformationThread,TerminateProcess,3_2_02141863
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_021439F2 NtWriteVirtualMemory,3_2_021439F2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02143A3D NtWriteVirtualMemory,3_2_02143A3D
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214A6D5 NtMapViewOfSection,3_2_0214A6D5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214A2F5 NtMapViewOfSection,3_2_0214A2F5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02149EFD NtMapViewOfSection,3_2_02149EFD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02143BF9 NtWriteVirtualMemory,3_2_02143BF9
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02144029 NtWriteVirtualMemory,3_2_02144029
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214A856 NtMapViewOfSection,3_2_0214A856
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02146845 NtWriteVirtualMemory,3_2_02146845
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214A445 NtMapViewOfSection,3_2_0214A445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214A04E NtMapViewOfSection,3_2_0214A04E
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214248C NtWriteVirtualMemory,3_2_0214248C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_021438A5 NtWriteVirtualMemory,3_2_021438A5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_021408ED NtSetInformationThread,TerminateProcess,3_2_021408ED
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214A587 NtMapViewOfSection,3_2_0214A587
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_0214A18A NtMapViewOfSection,3_2_0214A18A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02143DEE NtWriteVirtualMemory,3_2_02143DEE
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C9A21 NtProtectVirtualMemory,7_2_020C9A21
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C1863 NtSetInformationThread,TerminateProcess,7_2_020C1863
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C39F2 NtWriteVirtualMemory,7_2_020C39F2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C3A3D NtWriteVirtualMemory,7_2_020C3A3D
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020CA6D5 NtResumeThread,7_2_020CA6D5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C9EFD NtResumeThread,7_2_020C9EFD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020CA2F5 NtResumeThread,7_2_020CA2F5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C3BF9 NtWriteVirtualMemory,7_2_020C3BF9
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C4029 NtWriteVirtualMemory,7_2_020C4029
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020CA04E NtResumeThread,7_2_020CA04E
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C6845 NtWriteVirtualMemory,7_2_020C6845
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020CA445 NtResumeThread,7_2_020CA445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020CA856 NtResumeThread,7_2_020CA856
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C248C NtWriteVirtualMemory,7_2_020C248C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C38A5 NtWriteVirtualMemory,7_2_020C38A5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C08ED NtSetInformationThread,TerminateProcess,7_2_020C08ED
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020CA18A NtResumeThread,7_2_020CA18A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020CA587 NtResumeThread,7_2_020CA587
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C3DEE NtWriteVirtualMemory,7_2_020C3DEE
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_2_006B1863 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,9_2_006B1863
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_2_006B3262 Sleep,TerminateThread,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,9_2_006B3262
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_2_006B9A21 NtProtectVirtualMemory,9_2_006B9A21
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_2_006B3473 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,9_2_006B3473
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_2_006B9EF4 NtSetInformationThread,9_2_006B9EF4
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_2_006B487B NtProtectVirtualMemory,9_2_006B487B
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B3473 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_006B3473
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B48B8 NtProtectVirtualMemory,12_2_006B48B8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B9A21 NtProtectVirtualMemory,12_2_006B9A21
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B1863 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,12_2_006B1863
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B487B NtProtectVirtualMemory,12_2_006B487B
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B3437 NtProtectVirtualMemory,12_2_006B3437
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B08ED NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,12_2_006B08ED
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B48C5 NtProtectVirtualMemory,12_2_006B48C5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B348D NtProtectVirtualMemory,12_2_006B348D
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B4A2F NtProtectVirtualMemory,12_2_006B4A2F
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F9A21 NtProtectVirtualMemory,14_2_021F9A21
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F1863 NtSetInformationThread,TerminateProcess,14_2_021F1863
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F39F2 NtWriteVirtualMemory,14_2_021F39F2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F3A3D NtWriteVirtualMemory,14_2_021F3A3D
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021FA6D5 NtMapViewOfSection,14_2_021FA6D5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F9EFD NtMapViewOfSection,14_2_021F9EFD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021FA2F5 NtMapViewOfSection,14_2_021FA2F5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F3BF9 NtWriteVirtualMemory,14_2_021F3BF9
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F4029 NtWriteVirtualMemory,14_2_021F4029
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021FA856 NtMapViewOfSection,14_2_021FA856
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021FA04E NtMapViewOfSection,14_2_021FA04E
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F6845 NtWriteVirtualMemory,14_2_021F6845
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021FA445 NtMapViewOfSection,14_2_021FA445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F248C NtWriteVirtualMemory,14_2_021F248C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F38A5 NtWriteVirtualMemory,14_2_021F38A5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F08ED NtSetInformationThread,TerminateProcess,14_2_021F08ED
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021FA18A NtMapViewOfSection,14_2_021FA18A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021FA587 NtMapViewOfSection,14_2_021FA587
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F3DEE NtWriteVirtualMemory,14_2_021F3DEE
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B3473 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,20_2_006B3473
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B48B8 NtProtectVirtualMemory,20_2_006B48B8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B9A21 NtProtectVirtualMemory,20_2_006B9A21
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B1863 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,20_2_006B1863
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B487B NtProtectVirtualMemory,20_2_006B487B
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B3437 NtProtectVirtualMemory,20_2_006B3437
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B08ED NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,20_2_006B08ED
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B48C5 NtProtectVirtualMemory,20_2_006B48C5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B348D NtProtectVirtualMemory,20_2_006B348D
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B4A2F NtProtectVirtualMemory,20_2_006B4A2F
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_004024280_2_00402428
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB756B09_3_1EB756B0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB77E709_3_1EB77E70
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB646609_3_1EB64660
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB797309_3_1EB79730
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB787209_3_1EB78720
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB6BCD09_3_1EB6BCD0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB704D09_3_1EB704D0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB66C009_3_1EB66C00
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB61D309_3_1EB61D30
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB66D309_3_1EB66D30
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB65AB09_3_1EB65AB0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB742D09_3_1EB742D0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB723509_3_1EB72350
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EBA6B509_3_1EBA6B50
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB75B409_3_1EB75B40
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB760109_3_1EB76010
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB811E09_3_1EB811E0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB7C9C09_3_1EB7C9C0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB7D9209_3_1EB7D920
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: String function: 1EB658A0 appears 107 times
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: String function: 1EB662B0 appears 45 times
            Source: BV10013 (Rev A).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fipic.scr.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: BV10013 (Rev A).exe, 00000000.00000000.243950703.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBrowbands4.exe vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000000.00000002.262128100.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exeBinary or memory string: OriginalFilename vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000002.00000001.260799656.0000000000400000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSHTML.TLBD vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000002.00000002.271267310.000000001D4B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000002.00000002.271267310.000000001D4B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000002.00000000.259643272.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBrowbands4.exe vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000002.00000002.270963924.000000001D3B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exeBinary or memory string: OriginalFilenameBrowbands4.exe vs BV10013 (Rev A).exe
            Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
            Source: 00000009.00000003.297352454.0000000000A66000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000009.00000003.297410786.0000000000A6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000009.00000003.297396990.0000000000A6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000009.00000003.297327196.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@17/4@4/2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB68C40 GetLastError,GetVersionExW,FormatMessageW,FormatMessageA,_free,LocalFree,_free,9_3_1EB68C40
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EB694E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,LdrInitializeThunk,GetDiskFreeSpaceW,LdrInitializeThunk,GetDiskFreeSpaceA,_free,9_3_1EB694E0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile created: C:\Users\user\AppData\Local\Temp\~DFFA391B829014DB4B.TMPJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.vbs'
            Source: BV10013 (Rev A).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: fipic.scrBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: fipic.scrBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: fipic.scr, 00000009.00000003.432065455.000000001E97E000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: fipic.scrBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: fipic.scrBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: fipic.scrBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: fipic.scrBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile read: C:\Users\user\Desktop\BV10013 (Rev A).exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\BV10013 (Rev A).exe 'C:\Users\user\Desktop\BV10013 (Rev A).exe'
            Source: unknownProcess created: C:\Users\user\Desktop\BV10013 (Rev A).exe 'C:\Users\user\Desktop\BV10013 (Rev A).exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr' /S
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.vbs'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr' /S
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.vbs'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess created: C:\Users\user\Desktop\BV10013 (Rev A).exe 'C:\Users\user\Desktop\BV10013 (Rev A).exe' Jump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr' /SJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr' /SJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scr C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile written: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
            Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: fipic.scr
            Source: Binary string: RfxVmt.pdb source: fipic.scr, 00000009.00000003.302207703.0000000000A85000.00000004.00000001.sdmp
            Source: Binary string: RfxVmt.pdbGCTL source: fipic.scr, 00000009.00000003.302207703.0000000000A85000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: fipic.scr, 00000009.00000003.432065455.000000001E97E000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 6284, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BV10013 (Rev A).exe PID: 1840, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 2056, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BV10013 (Rev A).exe PID: 7024, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 6028, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 3484, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 6516, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fipic.scr PID: 6820, type: MEMORY
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EBC981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,LdrInitializeThunk,LdrInitializeThunk,DecodePointer,DecodePointer,DecodePointer,9_3_1EBC981B
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_004084B3 push eax; ret 0_2_004084B4
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_004085B3 push eax; ret 0_2_004085B4
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02212664 pushad ; retf 0_2_02212666
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02212643 pushad ; retf 0_2_02212645
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02214DC5 push ecx; iretd 0_2_02215E55
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 2_2_006B4DC5 push ecx; iretd 2_2_006B5E55
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 2_2_006B2664 pushad ; retf 2_2_006B2666
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 2_2_006B2643 pushad ; retf 2_2_006B2645
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02142643 pushad ; retf 3_2_02142645
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02142664 pushad ; retf 3_2_02142666
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 3_2_02144DC5 push ecx; iretd 3_2_02145E55
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C2643 pushad ; retf 7_2_020C2645
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C2664 pushad ; retf 7_2_020C2666
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 7_2_020C4DC5 push ecx; iretd 7_2_020C5E55
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 9_3_1EBC8D05 push ecx; ret 9_3_1EBC8D18
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B2664 pushad ; retf 12_2_006B2666
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 12_2_006B2643 pushad ; retf 12_2_006B2645
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F2643 pushad ; retf 14_2_021F2645
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F2664 pushad ; retf 14_2_021F2666
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 14_2_021F4DC5 push ecx; iretd 14_2_021F5E55
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B2664 pushad ; retf 20_2_006B2666
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrCode function: 20_2_006B2643 pushad ; retf 20_2_006B2645

            Persistence and Installation Behavior:

            barindex
            Drops PE files with a suspicious file extensionShow sources
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\fipic.vbsJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\fipic.vbsJump to behavior
            Source: C:\Windows\system32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Contains functionality to hide user accountsShow sources
            Source: fipic.scr, 00000009.00000003.297352454.0000000000A66000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: fipic.scr, 00000009.00000003.297352454.0000000000A66000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypeB"@v
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | deleteJump to behavior
            Hides user accountsShow sources
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList BBmKEKaJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fipic.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior</