Windows Analysis Report
bfsvc.exe

Overview

General Information

Sample name:	bfsvc.exe
Analysis ID:	1525467
MD5:	60a339532f6a5290d435acbd30cb1992
SHA1:	49ac28641a0448d4179eb870c1af4327a1799650
SHA256:	ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269
Tags:	exeuser-smica83
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bfsvc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: bfsvc.exe	ReversingLabs: Detection: 39%
Source: bfsvc.exe	Virustotal: Detection: 58%			Perma Link

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_0000000140145940

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_0000000140145940

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_00000001400E00A4 GetSystemMetrics,GetAsyncKeyState,WindowFromPoint,ScreenToClient,SendMessageA,ScreenToClient,

6_2_00000001400E00A4

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005098C MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,	6_2_000000014005098C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114F8C GetKeyState,GetKeyState,GetKeyState,	6_2_0000000140114F8C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400159A4 GetKeyState,GetKeyState,GetKeyState,SendMessageA,	6_2_00000001400159A4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009E3C0 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	6_2_000000014009E3C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013EA78 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	6_2_000000014013EA78

Detected potential crypto function

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140054054	6_2_0000000140054054
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140080090	6_2_0000000140080090
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D8088	6_2_00000001400D8088
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400400EC	6_2_00000001400400EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400380F4	6_2_00000001400380F4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140124158	6_2_0000000140124158
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140100148	6_2_0000000140100148
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014001C178	6_2_000000014001C178
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A8198	6_2_00000001400A8198
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400481D8	6_2_00000001400481D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401981D0	6_2_00000001401981D0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401742B8	6_2_00000001401742B8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013C2B0	6_2_000000014013C2B0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012C33C	6_2_000000014012C33C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D4340	6_2_00000001400D4340
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009035C	6_2_000000014009035C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014019844C	6_2_000000014019844C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A4464	6_2_00000001400A4464
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401745E4	6_2_00000001401745E4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A05F0	6_2_00000001401A05F0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011C638	6_2_000000014011C638
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007C650	6_2_000000014007C650
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401606C0	6_2_00000001401606C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A06F8	6_2_00000001400A06F8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401007D8	6_2_00000001401007D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140118838	6_2_0000000140118838
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140104874	6_2_0000000140104874
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013C8CC	6_2_000000014013C8CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400DC8D4	6_2_00000001400DC8D4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008CA04	6_2_000000014008CA04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140124AA0	6_2_0000000140124AA0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140054B9C	6_2_0000000140054B9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140140BFC	6_2_0000000140140BFC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E8C04	6_2_00000001400E8C04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A0C4C	6_2_00000001401A0C4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140174C9C	6_2_0000000140174C9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140158C9C	6_2_0000000140158C9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140078CA0	6_2_0000000140078CA0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140068CB4	6_2_0000000140068CB4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400BCCC4	6_2_00000001400BCCC4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400FCCD4	6_2_00000001400FCCD4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140134D48	6_2_0000000140134D48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400ACD60	6_2_00000001400ACD60
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140090DE4	6_2_0000000140090DE4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400ECE24	6_2_00000001400ECE24
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A8E58	6_2_00000001400A8E58
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E4E64	6_2_00000001400E4E64
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010CF78	6_2_000000014010CF78
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401310A0	6_2_00000001401310A0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115184	6_2_0000000140115184
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400351AC	6_2_00000001400351AC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401451AC	6_2_00000001401451AC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140169268	6_2_0000000140169268
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400692F0	6_2_00000001400692F0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400792EC	6_2_00000001400792EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011D340	6_2_000000014011D340
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400C5348	6_2_00000001400C5348
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F53C8	6_2_00000001400F53C8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005943C	6_2_000000014005943C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014003944C	6_2_000000014003944C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400514CC	6_2_00000001400514CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A94D8	6_2_00000001400A94D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401314FC	6_2_00000001401314FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401254E8	6_2_00000001401254E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140105510	6_2_0000000140105510
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F162C	6_2_00000001400F162C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140139680	6_2_0000000140139680
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008D694	6_2_000000014008D694
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B1714	6_2_00000001400B1714
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A1748	6_2_00000001400A1748
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E1754	6_2_00000001400E1754
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140149780	6_2_0000000140149780
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013D788	6_2_000000014013D788
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400457C0	6_2_00000001400457C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400317E0	6_2_00000001400317E0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005980C	6_2_000000014005980C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B58DC	6_2_00000001400B58DC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401418CC	6_2_00000001401418CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A58E8	6_2_00000001400A58E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140105924	6_2_0000000140105924
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140021938	6_2_0000000140021938
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A5984	6_2_00000001401A5984
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401699D0	6_2_00000001401699D0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E5A0C	6_2_00000001400E5A0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005DA4C	6_2_000000014005DA4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013DA9C	6_2_000000014013DA9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012DA84	6_2_000000014012DA84
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D5AE0	6_2_00000001400D5AE0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140065AF0	6_2_0000000140065AF0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D5C1C	6_2_00000001400D5C1C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140171C2C	6_2_0000000140171C2C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115CDC	6_2_0000000140115CDC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140085CF8	6_2_0000000140085CF8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F1D10	6_2_00000001400F1D10
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140095D80	6_2_0000000140095D80
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140139DEC	6_2_0000000140139DEC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140131E48	6_2_0000000140131E48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B5E90	6_2_00000001400B5E90
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010DED4	6_2_000000014010DED4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140121F04	6_2_0000000140121F04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140039F48	6_2_0000000140039F48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B1F5C	6_2_00000001400B1F5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400C5F8C	6_2_00000001400C5F8C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140142110	6_2_0000000140142110
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400AE170	6_2_00000001400AE170
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013A1C4	6_2_000000014013A1C4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400821FC	6_2_00000001400821FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009A1F8	6_2_000000014009A1F8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D6210	6_2_00000001400D6210
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007A2D8	6_2_000000014007A2D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400DA2EC	6_2_00000001400DA2EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A6304	6_2_00000001400A6304
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009E3C0	6_2_000000014009E3C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140162420	6_2_0000000140162420
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401AE40C	6_2_00000001401AE40C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140086488	6_2_0000000140086488
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014000E4E0	6_2_000000014000E4E0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401264F4	6_2_00000001401264F4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F6524	6_2_00000001400F6524
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140062578	6_2_0000000140062578
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400525FC	6_2_00000001400525FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014015A6A0	6_2_000000014015A6A0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014002A6E8	6_2_000000014002A6E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010675C	6_2_000000014010675C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B2758	6_2_00000001400B2758
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014019E774	6_2_000000014019E774
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401427A8	6_2_00000001401427A8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014016E7C4	6_2_000000014016E7C4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140066824	6_2_0000000140066824
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008E858	6_2_000000014008E858
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D2868	6_2_00000001400D2868
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140152868	6_2_0000000140152868
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140146894	6_2_0000000140146894
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401768D4	6_2_00000001401768D4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400968DC	6_2_00000001400968DC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A68E8	6_2_00000001400A68E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F2A80	6_2_00000001400F2A80
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140136AA8	6_2_0000000140136AA8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014014AB1C	6_2_000000014014AB1C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140122B40	6_2_0000000140122B40
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400EAB50	6_2_00000001400EAB50
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140126B98	6_2_0000000140126B98
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400AAB88	6_2_00000001400AAB88
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140116BC0	6_2_0000000140116BC0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140082C0C	6_2_0000000140082C0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012AC4C	6_2_000000014012AC4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012ECB8	6_2_000000014012ECB8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F6CE4	6_2_00000001400F6CE4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140146D0C	6_2_0000000140146D0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010AD60	6_2_000000014010AD60
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007ED88	6_2_000000014007ED88

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 00000001400BCC44 appears 97 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 0000000140098F30 appears 61 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 00000001400076E0 appears 237 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 0000000140004B34 appears 61 times

PE / OLE file has an invalid certificate

Source: bfsvc.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal56.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

6_2_000000014003CAC0

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140014264 FindResourceA,LoadResource,LockResource,FreeResource,

6_2_0000000140014264

Source: C:\Users\user\Desktop\bfsvc.exe

File created: C:\Users\user~1\AppData\Local\Temp\~SF877.tmp

Jump to behavior

Source: bfsvc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bfsvc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bfsvc.exe	ReversingLabs: Detection: 39%
Source: bfsvc.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\bfsvc.exe

File read: C:\Users\user\Desktop\bfsvc.exe

Jump to behavior

Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: bfsvc.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: bfsvc.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bfsvc.exe

Static file information: File size 2789712 > 1048576

Source: bfsvc.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400

Source: bfsvc.exe

Static PE information: More than 200 imports for USER32.dll

Source: bfsvc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

6_2_0000000140039024

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D3543 push rbx; retf	6_2_004D3544
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D1B79 push rbp; ret	6_2_004D1B7A
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D0A2C push rax; ret	6_2_004D0A3A
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D283E pushfq ; ret	6_2_004D283F
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D30DF push rbx; iretd	6_2_004D30E3
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D15FC push rbx; ret	6_2_004D15FD
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010D541 push rcx; ret	6_2_000000014010D542

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140094878 GetParent,IsIconic,GetParent,GetDlgCtrlID,	6_2_0000000140094878
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011562C IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoA,CopyRect,CopyRect,SystemParametersInfoA,OffsetRect,GetSystemMetrics,GetSystemMetrics,	6_2_000000014011562C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115954 IsIconic,PostMessageA,	6_2_0000000140115954
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011609C IsWindowVisible,ScreenToClient,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	6_2_000000014011609C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401168BC GetFocus,IsChild,SendMessageA,IsChild,SendMessageA,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	6_2_00000001401168BC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140116BC0 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageA,IsWindow,GetWindowRect,PtInRect,SendMessageA,ScreenToClient,PtInRect,GetParent,SendMessageA,GetFocus,WindowFromPoint,SendMessageA,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageA,	6_2_0000000140116BC0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140002E00 IsIconic,	6_2_0000000140002E00

Source: C:\Users\user\Desktop\bfsvc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\bfsvc.exe

API coverage: 0.0 %

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014019A694 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

6_2_000000014019A694

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_0000000140196A38

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014006C43C OutputDebugStringA,ActivateActCtx,GetLastError,DeactivateActCtx,SetLastError,

6_2_000000014006C43C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

6_2_0000000140039024

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_0000000140196A38
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140192D94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_0000000140192D94

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,

6_2_000000014001E3DC

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

6_2_000000014003CAC0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\~SF8771.tmp	data	92400F38A0E86B23DB1E64358ACEBCED	4991C69B137ECDFEC978FBA643DC6CB2DBC7D2B5	65325DF0FB8678FAE5022869D45643558DAAF8766EA36CD23BECD3B6BDDA32B8

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bfsvc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: bfsvc.exe	ReversingLabs: Detection: 39%
Source: bfsvc.exe	Virustotal: Detection: 58%			Perma Link

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_0000000140145940

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_0000000140145940

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_00000001400E00A4 GetSystemMetrics,GetAsyncKeyState,WindowFromPoint,ScreenToClient,SendMessageA,ScreenToClient,

6_2_00000001400E00A4

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005098C MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,	6_2_000000014005098C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114F8C GetKeyState,GetKeyState,GetKeyState,	6_2_0000000140114F8C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400159A4 GetKeyState,GetKeyState,GetKeyState,SendMessageA,	6_2_00000001400159A4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009E3C0 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	6_2_000000014009E3C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013EA78 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	6_2_000000014013EA78

Detected potential crypto function

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140054054	6_2_0000000140054054
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140080090	6_2_0000000140080090
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D8088	6_2_00000001400D8088
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400400EC	6_2_00000001400400EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400380F4	6_2_00000001400380F4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140124158	6_2_0000000140124158
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140100148	6_2_0000000140100148
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014001C178	6_2_000000014001C178
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A8198	6_2_00000001400A8198
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400481D8	6_2_00000001400481D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401981D0	6_2_00000001401981D0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401742B8	6_2_00000001401742B8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013C2B0	6_2_000000014013C2B0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012C33C	6_2_000000014012C33C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D4340	6_2_00000001400D4340
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009035C	6_2_000000014009035C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014019844C	6_2_000000014019844C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A4464	6_2_00000001400A4464
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401745E4	6_2_00000001401745E4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A05F0	6_2_00000001401A05F0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011C638	6_2_000000014011C638
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007C650	6_2_000000014007C650
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401606C0	6_2_00000001401606C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A06F8	6_2_00000001400A06F8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401007D8	6_2_00000001401007D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140118838	6_2_0000000140118838
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140104874	6_2_0000000140104874
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013C8CC	6_2_000000014013C8CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400DC8D4	6_2_00000001400DC8D4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008CA04	6_2_000000014008CA04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140124AA0	6_2_0000000140124AA0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140054B9C	6_2_0000000140054B9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140140BFC	6_2_0000000140140BFC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E8C04	6_2_00000001400E8C04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A0C4C	6_2_00000001401A0C4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140174C9C	6_2_0000000140174C9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140158C9C	6_2_0000000140158C9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140078CA0	6_2_0000000140078CA0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140068CB4	6_2_0000000140068CB4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400BCCC4	6_2_00000001400BCCC4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400FCCD4	6_2_00000001400FCCD4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140134D48	6_2_0000000140134D48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400ACD60	6_2_00000001400ACD60
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140090DE4	6_2_0000000140090DE4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400ECE24	6_2_00000001400ECE24
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A8E58	6_2_00000001400A8E58
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E4E64	6_2_00000001400E4E64
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010CF78	6_2_000000014010CF78
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401310A0	6_2_00000001401310A0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115184	6_2_0000000140115184
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400351AC	6_2_00000001400351AC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401451AC	6_2_00000001401451AC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140169268	6_2_0000000140169268
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400692F0	6_2_00000001400692F0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400792EC	6_2_00000001400792EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011D340	6_2_000000014011D340
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400C5348	6_2_00000001400C5348
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F53C8	6_2_00000001400F53C8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005943C	6_2_000000014005943C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014003944C	6_2_000000014003944C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400514CC	6_2_00000001400514CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A94D8	6_2_00000001400A94D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401314FC	6_2_00000001401314FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401254E8	6_2_00000001401254E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140105510	6_2_0000000140105510
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F162C	6_2_00000001400F162C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140139680	6_2_0000000140139680
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008D694	6_2_000000014008D694
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B1714	6_2_00000001400B1714
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A1748	6_2_00000001400A1748
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E1754	6_2_00000001400E1754
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140149780	6_2_0000000140149780
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013D788	6_2_000000014013D788
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400457C0	6_2_00000001400457C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400317E0	6_2_00000001400317E0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005980C	6_2_000000014005980C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B58DC	6_2_00000001400B58DC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401418CC	6_2_00000001401418CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A58E8	6_2_00000001400A58E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140105924	6_2_0000000140105924
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140021938	6_2_0000000140021938
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A5984	6_2_00000001401A5984
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401699D0	6_2_00000001401699D0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E5A0C	6_2_00000001400E5A0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005DA4C	6_2_000000014005DA4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013DA9C	6_2_000000014013DA9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012DA84	6_2_000000014012DA84
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D5AE0	6_2_00000001400D5AE0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140065AF0	6_2_0000000140065AF0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D5C1C	6_2_00000001400D5C1C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140171C2C	6_2_0000000140171C2C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115CDC	6_2_0000000140115CDC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140085CF8	6_2_0000000140085CF8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F1D10	6_2_00000001400F1D10
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140095D80	6_2_0000000140095D80
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140139DEC	6_2_0000000140139DEC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140131E48	6_2_0000000140131E48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B5E90	6_2_00000001400B5E90
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010DED4	6_2_000000014010DED4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140121F04	6_2_0000000140121F04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140039F48	6_2_0000000140039F48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B1F5C	6_2_00000001400B1F5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400C5F8C	6_2_00000001400C5F8C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140142110	6_2_0000000140142110
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400AE170	6_2_00000001400AE170
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013A1C4	6_2_000000014013A1C4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400821FC	6_2_00000001400821FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009A1F8	6_2_000000014009A1F8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D6210	6_2_00000001400D6210
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007A2D8	6_2_000000014007A2D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400DA2EC	6_2_00000001400DA2EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A6304	6_2_00000001400A6304
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009E3C0	6_2_000000014009E3C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140162420	6_2_0000000140162420
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401AE40C	6_2_00000001401AE40C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140086488	6_2_0000000140086488
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014000E4E0	6_2_000000014000E4E0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401264F4	6_2_00000001401264F4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F6524	6_2_00000001400F6524
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140062578	6_2_0000000140062578
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400525FC	6_2_00000001400525FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014015A6A0	6_2_000000014015A6A0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014002A6E8	6_2_000000014002A6E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010675C	6_2_000000014010675C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B2758	6_2_00000001400B2758
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014019E774	6_2_000000014019E774
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401427A8	6_2_00000001401427A8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014016E7C4	6_2_000000014016E7C4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140066824	6_2_0000000140066824
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008E858	6_2_000000014008E858
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D2868	6_2_00000001400D2868
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140152868	6_2_0000000140152868
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140146894	6_2_0000000140146894
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401768D4	6_2_00000001401768D4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400968DC	6_2_00000001400968DC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A68E8	6_2_00000001400A68E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F2A80	6_2_00000001400F2A80
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140136AA8	6_2_0000000140136AA8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014014AB1C	6_2_000000014014AB1C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140122B40	6_2_0000000140122B40
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400EAB50	6_2_00000001400EAB50
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140126B98	6_2_0000000140126B98
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400AAB88	6_2_00000001400AAB88
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140116BC0	6_2_0000000140116BC0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140082C0C	6_2_0000000140082C0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012AC4C	6_2_000000014012AC4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012ECB8	6_2_000000014012ECB8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F6CE4	6_2_00000001400F6CE4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140146D0C	6_2_0000000140146D0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010AD60	6_2_000000014010AD60
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007ED88	6_2_000000014007ED88

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 00000001400BCC44 appears 97 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 0000000140098F30 appears 61 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 00000001400076E0 appears 237 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 0000000140004B34 appears 61 times

PE / OLE file has an invalid certificate

Source: bfsvc.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal56.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

6_2_000000014003CAC0

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140014264 FindResourceA,LoadResource,LockResource,FreeResource,

6_2_0000000140014264

Source: C:\Users\user\Desktop\bfsvc.exe

File created: C:\Users\user~1\AppData\Local\Temp\~SF877.tmp

Jump to behavior

Source: bfsvc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bfsvc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bfsvc.exe	ReversingLabs: Detection: 39%
Source: bfsvc.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\bfsvc.exe

File read: C:\Users\user\Desktop\bfsvc.exe

Jump to behavior

Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: bfsvc.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: bfsvc.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bfsvc.exe

Static file information: File size 2789712 > 1048576

Source: bfsvc.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400

Source: bfsvc.exe

Static PE information: More than 200 imports for USER32.dll

Source: bfsvc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

6_2_0000000140039024

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D3543 push rbx; retf	6_2_004D3544
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D1B79 push rbp; ret	6_2_004D1B7A
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D0A2C push rax; ret	6_2_004D0A3A
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D283E pushfq ; ret	6_2_004D283F
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D30DF push rbx; iretd	6_2_004D30E3
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D15FC push rbx; ret	6_2_004D15FD
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010D541 push rcx; ret	6_2_000000014010D542

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140094878 GetParent,IsIconic,GetParent,GetDlgCtrlID,	6_2_0000000140094878
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011562C IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoA,CopyRect,CopyRect,SystemParametersInfoA,OffsetRect,GetSystemMetrics,GetSystemMetrics,	6_2_000000014011562C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115954 IsIconic,PostMessageA,	6_2_0000000140115954
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011609C IsWindowVisible,ScreenToClient,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	6_2_000000014011609C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401168BC GetFocus,IsChild,SendMessageA,IsChild,SendMessageA,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	6_2_00000001401168BC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140116BC0 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageA,IsWindow,GetWindowRect,PtInRect,SendMessageA,ScreenToClient,PtInRect,GetParent,SendMessageA,GetFocus,WindowFromPoint,SendMessageA,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageA,	6_2_0000000140116BC0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140002E00 IsIconic,	6_2_0000000140002E00

Source: C:\Users\user\Desktop\bfsvc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\bfsvc.exe

API coverage: 0.0 %

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014019A694 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

6_2_000000014019A694

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_0000000140196A38

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014006C43C OutputDebugStringA,ActivateActCtx,GetLastError,DeactivateActCtx,SetLastError,

6_2_000000014006C43C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

6_2_0000000140039024

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_0000000140196A38
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140192D94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_0000000140192D94

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,

6_2_000000014001E3DC

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

6_2_000000014003CAC0

ID:	1525467
Product:	CloudBasic
Start time:	09:18:10
Start date:	04.10.2024
Sample:	bfsvc.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	60a339532f6a5290d435acbd30cb1992
SHA1:	49ac28641a0448d4179eb870c1af4327a1799650
SHA256:	ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
bfsvc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report bfsvc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
bfsvc.exe