Loading ...

Play interactive tourEdit tour

Analysis Report BV10013 (Rev A).scr

Overview

General Information

Sample Name:BV10013 (Rev A).scr (renamed file extension from scr to exe)
Analysis ID:254593
MD5:11d648a9d7958bef6921898e130f483d
SHA1:c5541a30011d42999fdc795f59d7f985c21b40e9
SHA256:eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92

Most interesting Screenshot:

Detection

GuLoader
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Hides threads from debuggers
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • BV10013 (Rev A).exe (PID: 5060 cmdline: 'C:\Users\user\Desktop\BV10013 (Rev A).exe' MD5: 11D648A9D7958BEF6921898E130F483D)
    • BV10013 (Rev A).exe (PID: 388 cmdline: 'C:\Users\user\Desktop\BV10013 (Rev A).exe' MD5: 11D648A9D7958BEF6921898E130F483D)
      • fil.scr (PID: 2000 cmdline: 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /S MD5: 11D648A9D7958BEF6921898E130F483D)
        • fil.scr (PID: 1016 cmdline: 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /S MD5: 11D648A9D7958BEF6921898E130F483D)
  • wscript.exe (PID: 988 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • fil.scr (PID: 1328 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr MD5: 11D648A9D7958BEF6921898E130F483D)
      • fil.scr (PID: 5648 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr MD5: 11D648A9D7958BEF6921898E130F483D)
  • wscript.exe (PID: 5048 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • fil.scr (PID: 4516 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr MD5: 11D648A9D7958BEF6921898E130F483D)
      • fil.scr (PID: 4312 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr MD5: 11D648A9D7958BEF6921898E130F483D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: fil.scr PID: 4312JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: BV10013 (Rev A).exe PID: 388JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: fil.scr PID: 4516JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: fil.scr PID: 1016JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: fil.scr PID: 5648JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: unknownDNS traffic detected: queries for: seedwellresources.xyz
            Source: fil.scr, 0000000E.00000002.539003049.0000000000B19000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.bin
            Source: fil.scr, 0000000E.00000002.539003049.0000000000B19000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.bin-
            Source: fil.scr, 00000008.00000002.538964970.0000000000A3B000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.bin;
            Source: fil.scr, 00000008.00000002.538964970.0000000000A3B000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.binG
            Source: fil.scr, 0000000E.00000002.538972438.0000000000AFA000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.binT&
            Source: fil.scr, 0000000E.00000002.538942012.0000000000ADB000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.bina
            Source: fil.scr, 00000008.00000002.539073075.0000000000A6F000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.binb
            Source: fil.scr, 0000000E.00000002.539003049.0000000000B19000.00000004.00000020.sdmpString found in binary or memory: http://seedwellresources.xyz/oke2_EHusZY26.binn
            Source: fil.scr, 00000007.00000002.313927641.000000000070A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02143831 NtWriteVirtualMemory,0_2_02143831
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02144A22 NtSetInformationThread,TerminateProcess,CreateFileA,0_2_02144A22
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02142445 NtSetInformationThread,TerminateProcess,0_2_02142445
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021408A0 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_021408A0
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02149723 NtProtectVirtualMemory,0_2_02149723
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02149BB8 NtResumeThread,0_2_02149BB8
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02143A00 NtWriteVirtualMemory,0_2_02143A00
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02149E4A NtResumeThread,0_2_02149E4A
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02143861 NtWriteVirtualMemory,0_2_02143861
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021430A6 NtSetInformationThread,TerminateProcess,0_2_021430A6
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021418A0 NtWriteVirtualMemory,0_2_021418A0
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021408D3 NtSetInformationThread,TerminateProcess,0_2_021408D3
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021458DF NtSetInformationThread,TerminateProcess,0_2_021458DF
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0214A4CC NtResumeThread,0_2_0214A4CC
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02149D12 NtResumeThread,0_2_02149D12
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02144519 NtSetInformationThread,TerminateProcess,0_2_02144519
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02140908 NtSetInformationThread,TerminateProcess,0_2_02140908
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02149FB5 NtResumeThread,0_2_02149FB5
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02149BC1 NtResumeThread,0_2_02149BC1
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02143DF6 NtWriteVirtualMemory,0_2_02143DF6
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02143BE2 NtWriteVirtualMemory,0_2_02143BE2
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B2445 NtSetInformationThread,TerminateProcess,5_2_006B2445
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B4A22 NtSetInformationThread,TerminateProcess,CreateFileA,5_2_006B4A22
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B08A0 EnumWindows,NtSetInformationThread,TerminateProcess,5_2_006B08A0
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B9723 NtProtectVirtualMemory,5_2_006B9723
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B58DF NtSetInformationThread,TerminateProcess,5_2_006B58DF
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B08D3 NtSetInformationThread,TerminateProcess,5_2_006B08D3
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B30A6 NtSetInformationThread,TerminateProcess,5_2_006B30A6
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B0908 NtSetInformationThread,TerminateProcess,5_2_006B0908
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B4519 NtSetInformationThread,TerminateProcess,5_2_006B4519
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02294A22 NtSetInformationThread,TerminateProcess,CreateFileA,7_2_02294A22
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02293831 NtWriteVirtualMemory,7_2_02293831
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02292445 NtSetInformationThread,TerminateProcess,7_2_02292445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022908A0 EnumWindows,NtSetInformationThread,TerminateProcess,7_2_022908A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02299723 NtProtectVirtualMemory,7_2_02299723
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02299BB8 NtResumeThread,7_2_02299BB8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02293A00 NtWriteVirtualMemory,7_2_02293A00
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02293861 NtWriteVirtualMemory,7_2_02293861
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02299E4A NtResumeThread,7_2_02299E4A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022918A0 NtWriteVirtualMemory,7_2_022918A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022930A6 NtSetInformationThread,TerminateProcess,7_2_022930A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_0229A4CC NtResumeThread,7_2_0229A4CC
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022958DF NtSetInformationThread,TerminateProcess,7_2_022958DF
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022908D3 NtSetInformationThread,TerminateProcess,7_2_022908D3
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02290908 NtSetInformationThread,TerminateProcess,7_2_02290908
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02294519 NtSetInformationThread,TerminateProcess,7_2_02294519
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02299D12 NtResumeThread,7_2_02299D12
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02299FB5 NtResumeThread,7_2_02299FB5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02293BE2 NtWriteVirtualMemory,7_2_02293BE2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02293DF6 NtWriteVirtualMemory,7_2_02293DF6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02299BC1 NtResumeThread,7_2_02299BC1
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B4A22 NtSetInformationThread,CreateFileA,8_2_006B4A22
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B08A0 EnumWindows,NtSetInformationThread,8_2_006B08A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B9723 NtProtectVirtualMemory,8_2_006B9723
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B9BB8 NtQueryInformationProcess,8_2_006B9BB8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B9E4A NtQueryInformationProcess,8_2_006B9E4A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B2445 NtSetInformationThread,8_2_006B2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006BA4CC NtQueryInformationProcess,8_2_006BA4CC
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B58DF NtSetInformationThread,8_2_006B58DF
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B08D3 NtSetInformationThread,8_2_006B08D3
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B30A6 NtSetInformationThread,8_2_006B30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B0908 NtSetInformationThread,8_2_006B0908
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B4519 NtSetInformationThread,8_2_006B4519
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B9D12 NtQueryInformationProcess,8_2_006B9D12
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B9BC1 NtQueryInformationProcess,8_2_006B9BC1
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B9FB5 NtQueryInformationProcess,8_2_006B9FB5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02284A22 NtSetInformationThread,TerminateProcess,CreateFileA,10_2_02284A22
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02283831 NtWriteVirtualMemory,10_2_02283831
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02282445 NtSetInformationThread,TerminateProcess,10_2_02282445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022808A0 EnumWindows,NtSetInformationThread,TerminateProcess,10_2_022808A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02289723 NtProtectVirtualMemory,10_2_02289723
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02289BB8 NtMapViewOfSection,10_2_02289BB8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02283A00 NtWriteVirtualMemory,10_2_02283A00
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02283861 NtWriteVirtualMemory,10_2_02283861
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02289E4A NtMapViewOfSection,10_2_02289E4A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022818A0 NtWriteVirtualMemory,10_2_022818A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022830A6 NtSetInformationThread,TerminateProcess,10_2_022830A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_0228A4CC NtMapViewOfSection,10_2_0228A4CC
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022858DF NtSetInformationThread,TerminateProcess,10_2_022858DF
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022808D3 NtSetInformationThread,TerminateProcess,10_2_022808D3
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02280908 NtSetInformationThread,TerminateProcess,10_2_02280908
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02284519 NtSetInformationThread,TerminateProcess,10_2_02284519
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02289D12 NtMapViewOfSection,10_2_02289D12
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02289FB5 NtMapViewOfSection,10_2_02289FB5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02283BE2 NtWriteVirtualMemory,10_2_02283BE2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02283DF6 NtWriteVirtualMemory,10_2_02283DF6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02289BC1 NtMapViewOfSection,10_2_02289BC1
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A08A0 EnumWindows,NtSetInformationThread,TerminateProcess,12_2_028A08A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A4A22 NtSetInformationThread,TerminateProcess,CreateFileA,12_2_028A4A22
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A3831 NtWriteVirtualMemory,12_2_028A3831
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A2445 NtSetInformationThread,TerminateProcess,12_2_028A2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A9BB8 NtResumeThread,12_2_028A9BB8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A9723 NtProtectVirtualMemory,12_2_028A9723
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A18A0 NtWriteVirtualMemory,12_2_028A18A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A30A6 NtSetInformationThread,TerminateProcess,12_2_028A30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028AA4CC NtResumeThread,12_2_028AA4CC
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A58DF NtSetInformationThread,TerminateProcess,12_2_028A58DF
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A08D3 NtSetInformationThread,TerminateProcess,12_2_028A08D3
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A3A00 NtWriteVirtualMemory,12_2_028A3A00
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A9E4A NtResumeThread,12_2_028A9E4A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A3861 NtWriteVirtualMemory,12_2_028A3861
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A9FB5 NtResumeThread,12_2_028A9FB5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A9BC1 NtResumeThread,12_2_028A9BC1
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A3BE2 NtWriteVirtualMemory,12_2_028A3BE2
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A3DF6 NtWriteVirtualMemory,12_2_028A3DF6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A0908 NtSetInformationThread,TerminateProcess,12_2_028A0908
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A4519 NtSetInformationThread,TerminateProcess,12_2_028A4519
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A9D12 NtResumeThread,12_2_028A9D12
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B4A22 NtSetInformationThread,CreateFileA,13_2_006B4A22
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B08A0 EnumWindows,NtSetInformationThread,13_2_006B08A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B9723 NtProtectVirtualMemory,13_2_006B9723
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B9BB8 NtQueryInformationProcess,13_2_006B9BB8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B9E4A NtQueryInformationProcess,13_2_006B9E4A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B2445 NtSetInformationThread,13_2_006B2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006BA4CC NtQueryInformationProcess,13_2_006BA4CC
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B58DF NtSetInformationThread,13_2_006B58DF
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B08D3 NtSetInformationThread,13_2_006B08D3
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B30A6 NtSetInformationThread,13_2_006B30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B0908 NtSetInformationThread,13_2_006B0908
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B4519 NtSetInformationThread,13_2_006B4519
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B9D12 NtQueryInformationProcess,13_2_006B9D12
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B9BC1 NtQueryInformationProcess,13_2_006B9BC1
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B9FB5 NtQueryInformationProcess,13_2_006B9FB5
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B4A22 NtSetInformationThread,CreateFileA,14_2_006B4A22
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B08A0 EnumWindows,NtSetInformationThread,14_2_006B08A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B9723 NtProtectVirtualMemory,14_2_006B9723
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B9BB8 NtQueryInformationProcess,14_2_006B9BB8
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B9E4A NtQueryInformationProcess,14_2_006B9E4A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B2445 NtSetInformationThread,14_2_006B2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006BA4CC NtQueryInformationProcess,14_2_006BA4CC
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B58DF NtSetInformationThread,14_2_006B58DF
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B08D3 NtSetInformationThread,14_2_006B08D3
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B30A6 NtSetInformationThread,14_2_006B30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B0908 NtSetInformationThread,14_2_006B0908
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B4519 NtSetInformationThread,14_2_006B4519
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B9D12 NtQueryInformationProcess,14_2_006B9D12
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B9BC1 NtQueryInformationProcess,14_2_006B9BC1
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B9FB5 NtQueryInformationProcess,14_2_006B9FB5
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_00402EBE0_2_00402EBE
            Source: BV10013 (Rev A).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fil.scr.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: BV10013 (Rev A).exe, 00000000.00000002.290496187.0000000002180000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebukselse.exeFE2XTIPSPRMIERNESe vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000000.00000000.272696711.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebukselse.exe vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000000.00000002.290364027.0000000002110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exeBinary or memory string: OriginalFilename vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000005.00000002.304657628.000000001D400000.00000002.00000001.sdmpBinary or memory string: originalfilename vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000005.00000002.304657628.000000001D400000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000005.00000000.286864932.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebukselse.exe vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000005.00000002.302385898.000000001D390000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exe, 00000005.00000001.287580247.0000000000400000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSHTML.TLBD vs BV10013 (Rev A).exe
            Source: BV10013 (Rev A).exeBinary or memory string: OriginalFilenamebukselse.exe vs BV10013 (Rev A).exe
            Source: classification engineClassification label: mal64.troj.evad.winEXE@17/2@40/1
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile created: C:\Users\user\AppData\Local\Temp\~DF50E3D02882216CBC.TMPJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.vbs'
            Source: BV10013 (Rev A).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile read: C:\Users\user\Desktop\BV10013 (Rev A).exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\BV10013 (Rev A).exe 'C:\Users\user\Desktop\BV10013 (Rev A).exe'
            Source: unknownProcess created: C:\Users\user\Desktop\BV10013 (Rev A).exe 'C:\Users\user\Desktop\BV10013 (Rev A).exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /S
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /S
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.vbs'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr
            Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.vbs'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess created: C:\Users\user\Desktop\BV10013 (Rev A).exe 'C:\Users\user\Desktop\BV10013 (Rev A).exe' Jump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /SJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /SJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: fil.scr PID: 4312, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BV10013 (Rev A).exe PID: 388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fil.scr PID: 4516, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fil.scr PID: 1016, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fil.scr PID: 5648, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fil.scr PID: 1328, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BV10013 (Rev A).exe PID: 5060, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fil.scr PID: 2000, type: MEMORY
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_00409212 push ebx; retf 0_2_00409213
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0040BCB4 push ebx; ret 0_2_0040BCCB
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_00409112 push ebx; retf 0_2_00409113
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_00409312 push ebx; retf 0_2_00409313
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_00408B96 push esp; retf 0_2_00408B97

            Persistence and Installation Behavior:

            barindex
            Drops PE files with a suspicious file extensionShow sources
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to dropped file
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\fil.vbsJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\fil.vbsJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0214855C rdtsc 0_2_0214855C
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr TID: 3408Thread sleep count: 63 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr TID: 3408Thread sleep time: -63000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr TID: 6116Thread sleep count: 59 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr TID: 6116Thread sleep time: -59000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr TID: 484Thread sleep count: 56 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr TID: 484Thread sleep time: -56000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrLast function: Thread delayed
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: fil.scr, 00000008.00000002.538964970.0000000000A3B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: fil.scr, 0000000E.00000002.538942012.0000000000ADB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: fil.scrBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: BV10013 (Rev A).exe, 00000000.00000002.292830325.00000000039AA000.00000004.00000001.sdmp, BV10013 (Rev A).exe, 00000005.00000002.299888363.000000000229A000.00000004.00000001.sdmp, fil.scr, 00000007.00000002.314915362.0000000003A0A000.00000004.00000001.sdmp, fil.scr, 00000008.00000002.540311210.000000000231A000.00000004.00000001.sdmp, fil.scr, 0000000A.00000002.346906936.0000000003A6A000.00000004.00000001.sdmp, fil.scr, 0000000C.00000002.357878420.00000000038DA000.00000004.00000001.sdmp, fil.scr, 0000000D.00000002.539408104.00000000022AA000.00000004.00000001.sdmp, fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: fil.scr, 0000000E.00000002.539273606.00000000023BA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02144A22 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02145AEF0_2_02144A22
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0214855C rdtsc 0_2_0214855C
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02142445 mov eax, dword ptr fs:[00000030h]0_2_02142445
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_0214809C mov eax, dword ptr fs:[00000030h]0_2_0214809C
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021430A6 mov eax, dword ptr fs:[00000030h]0_2_021430A6
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021478A0 mov eax, dword ptr fs:[00000030h]0_2_021478A0
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_021444AB mov eax, dword ptr fs:[00000030h]0_2_021444AB
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02148ECD mov eax, dword ptr fs:[00000030h]0_2_02148ECD
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02148D5A mov eax, dword ptr fs:[00000030h]0_2_02148D5A
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 0_2_02148D68 mov eax, dword ptr fs:[00000030h]0_2_02148D68
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B2445 mov eax, dword ptr fs:[00000030h]5_2_006B2445
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B8ECD mov eax, dword ptr fs:[00000030h]5_2_006B8ECD
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B44AB mov eax, dword ptr fs:[00000030h]5_2_006B44AB
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B78A0 mov eax, dword ptr fs:[00000030h]5_2_006B78A0
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B30A6 mov eax, dword ptr fs:[00000030h]5_2_006B30A6
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B809C mov eax, dword ptr fs:[00000030h]5_2_006B809C
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B8D68 mov eax, dword ptr fs:[00000030h]5_2_006B8D68
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeCode function: 5_2_006B8D5A mov eax, dword ptr fs:[00000030h]5_2_006B8D5A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02292445 mov eax, dword ptr fs:[00000030h]7_2_02292445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022944AB mov eax, dword ptr fs:[00000030h]7_2_022944AB
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022978A0 mov eax, dword ptr fs:[00000030h]7_2_022978A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_022930A6 mov eax, dword ptr fs:[00000030h]7_2_022930A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_0229809C mov eax, dword ptr fs:[00000030h]7_2_0229809C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02298ECD mov eax, dword ptr fs:[00000030h]7_2_02298ECD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02298D68 mov eax, dword ptr fs:[00000030h]7_2_02298D68
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 7_2_02298D5A mov eax, dword ptr fs:[00000030h]7_2_02298D5A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B2445 mov eax, dword ptr fs:[00000030h]8_2_006B2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B8ECD mov eax, dword ptr fs:[00000030h]8_2_006B8ECD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B44AB mov eax, dword ptr fs:[00000030h]8_2_006B44AB
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B78A0 mov eax, dword ptr fs:[00000030h]8_2_006B78A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B30A6 mov eax, dword ptr fs:[00000030h]8_2_006B30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B809C mov eax, dword ptr fs:[00000030h]8_2_006B809C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B8D68 mov eax, dword ptr fs:[00000030h]8_2_006B8D68
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 8_2_006B8D5A mov eax, dword ptr fs:[00000030h]8_2_006B8D5A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02282445 mov eax, dword ptr fs:[00000030h]10_2_02282445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022844AB mov eax, dword ptr fs:[00000030h]10_2_022844AB
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022878A0 mov eax, dword ptr fs:[00000030h]10_2_022878A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_022830A6 mov eax, dword ptr fs:[00000030h]10_2_022830A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_0228809C mov eax, dword ptr fs:[00000030h]10_2_0228809C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02288ECD mov eax, dword ptr fs:[00000030h]10_2_02288ECD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02288D68 mov eax, dword ptr fs:[00000030h]10_2_02288D68
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 10_2_02288D5A mov eax, dword ptr fs:[00000030h]10_2_02288D5A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A2445 mov eax, dword ptr fs:[00000030h]12_2_028A2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A809C mov eax, dword ptr fs:[00000030h]12_2_028A809C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A44AB mov eax, dword ptr fs:[00000030h]12_2_028A44AB
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A78A0 mov eax, dword ptr fs:[00000030h]12_2_028A78A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A30A6 mov eax, dword ptr fs:[00000030h]12_2_028A30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A8ECD mov eax, dword ptr fs:[00000030h]12_2_028A8ECD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A8D5A mov eax, dword ptr fs:[00000030h]12_2_028A8D5A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 12_2_028A8D68 mov eax, dword ptr fs:[00000030h]12_2_028A8D68
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B2445 mov eax, dword ptr fs:[00000030h]13_2_006B2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B8ECD mov eax, dword ptr fs:[00000030h]13_2_006B8ECD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B44AB mov eax, dword ptr fs:[00000030h]13_2_006B44AB
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B78A0 mov eax, dword ptr fs:[00000030h]13_2_006B78A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B30A6 mov eax, dword ptr fs:[00000030h]13_2_006B30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B809C mov eax, dword ptr fs:[00000030h]13_2_006B809C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B8D68 mov eax, dword ptr fs:[00000030h]13_2_006B8D68
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 13_2_006B8D5A mov eax, dword ptr fs:[00000030h]13_2_006B8D5A
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B2445 mov eax, dword ptr fs:[00000030h]14_2_006B2445
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B8ECD mov eax, dword ptr fs:[00000030h]14_2_006B8ECD
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B44AB mov eax, dword ptr fs:[00000030h]14_2_006B44AB
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B78A0 mov eax, dword ptr fs:[00000030h]14_2_006B78A0
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B30A6 mov eax, dword ptr fs:[00000030h]14_2_006B30A6
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B809C mov eax, dword ptr fs:[00000030h]14_2_006B809C
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B8D68 mov eax, dword ptr fs:[00000030h]14_2_006B8D68
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrCode function: 14_2_006B8D5A mov eax, dword ptr fs:[00000030h]14_2_006B8D5A
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess created: C:\Users\user\Desktop\BV10013 (Rev A).exe 'C:\Users\user\Desktop\BV10013 (Rev A).exe' Jump to behavior
            Source: C:\Users\user\Desktop\BV10013 (Rev A).exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /SJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr' /SJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\fil.scr C:\Users\user\AppData\Local\Temp\subfolder1\fil.scrJump to behavior
            Source: fil.scr, 00000008.00000002.539252437.0000000000EC0000.00000002.00000001.sdmp, fil.scr, 0000000D.00000002.539170451.0000000000E10000.00000002.00000001.sdmp, fil.scr, 0000000E.00000002.539112326.0000000000F60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: fil.scr, 00000008.00000002.539252437.0000000000EC0000.00000002.00000001.sdmp, fil.scr, 0000000D.00000002.539170451.0000000000E10000.00000002.00000001.sdmp, fil.scr, 0000000E.00000002.539112326.0000000000F60000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: fil.scr, 00000008.00000002.539252437.0000000000EC0000.00000002.00000001.sdmp, fil.scr, 0000000D.00000002.539170451.0000000000E10000.00000002.00000001.sdmp, fil.scr, 0000000E.00000002.539112326.0000000000F60000.00000002.00000001.sdmpBinary or memory string: Program ManagerNd[\
            Source: fil.scr, 00000008.00000002.539252437.0000000000EC0000.00000002.00000001.sdmp, fil.scr, 0000000D.00000002.539170451.0000000000E10000.00000002.00000001.sdmp, fil.scr, 0000000E.00000002.539112326.0000000000F60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting11Registry Run Keys / Startup Folder11Process Injection12Masquerading1Input Capture1Security Software Discovery231Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Virtualization/Sandbox Evasion13LSASS MemoryVirtualization/Sandbox Evasion13Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 254593