Analysis Report parcel_images.exe

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: parcel_images.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Avira: detection malicious, Label: HEUR/AGEN.1120329

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: parcel_images.exe	Virustotal: Detection: 47%			Perma Link
Source: parcel_images.exe	ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: parcel_images.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.RegSvcs.exe.5cb0000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 4.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack

Uses 32bit PE files

Source: parcel_images.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: parcel_images.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4x nop then mov esp, ebp

4_2_0349865F

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: cldgr.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49713 -> 69.61.59.215:60003

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: cldgr.duckdns.org

Urls found in memory or binary data

Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: parcel_images.exe, 00000000.00000003.222434128.000000000506D000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221895972.0000000005068000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFP
Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coml1
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comh
Source: parcel_images.exe, 00000000.00000003.216665590.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.c
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/e
Source: parcel_images.exe, 00000000.00000003.218064819.000000000509D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-n
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp, parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.compe
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krC
Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krlearn
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: parcel_images.exe, 00000000.00000003.216945664.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comF
Source: parcel_images.exe, 00000000.00000003.216900726.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comw
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: RegSvcs.exe, 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: parcel_images.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51D8E NtQuerySystemInformation,		0_2_04E51D8E
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51D54 NtQuerySystemInformation,		0_2_04E51D54
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A016DA NtQuerySystemInformation,		4_2_05A016DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0169F NtQuerySystemInformation,		4_2_05A0169F

Detected potential crypto function

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01000C50		0_2_01000C50
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01001C53		0_2_01001C53
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010000F8		0_2_010000F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002B08		0_2_01002B08
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01001374		0_2_01001374
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0100454C		0_2_0100454C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01003800		0_2_01003800
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004848		0_2_01004848
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01000C4D		0_2_01000C4D
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004858		0_2_01004858
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004CA4		0_2_01004CA4
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004CA8		0_2_01004CA8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002B01		0_2_01002B01
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002F18		0_2_01002F18
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010037F8		0_2_010037F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004A55		0_2_01004A55
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004E55		0_2_01004E55
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004A58		0_2_01004A58
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004291		0_2_01004291
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004298		0_2_01004298
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002AA5		0_2_01002AA5
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681208C		0_2_0681208C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810D90		0_2_06810D90
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810530		0_2_06810530
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681AC65		0_2_0681AC65
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810D82		0_2_06810D82
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_068105F0		0_2_068105F0
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8CC20		0_2_06F8CC20
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8E120		0_2_06F8E120
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8C500		0_2_06F8C500
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8B0E8		0_2_06F8B0E8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8CEA8		0_2_06F8CEA8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8BC98		0_2_06F8BC98
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8DE78		0_2_06F8DE78
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8A250		0_2_06F8A250
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8A9F8		0_2_06F8A9F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8B728		0_2_06F8B728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01902477		4_2_01902477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01917ABE		4_2_01917ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03492FA8		4_2_03492FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034923A0		4_2_034923A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03498BB8		4_2_03498BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034997B8		4_2_034997B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03499ACB		4_2_03499ACB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03493850		4_2_03493850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349B488		4_2_0349B488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034932BB		4_2_034932BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349306F		4_2_0349306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349A060		4_2_0349A060
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349987F		4_2_0349987F

PE file contains strange resources

Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: parcel_images.exe	Binary or memory string: OriginalFilename vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.240637309.0000000000517000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameG vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.245931889.0000000004E70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254894264.0000000007340000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.253585075.0000000006820000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs parcel_images.exe
Source: parcel_images.exe	Binary or memory string: OriginalFilenameG vs parcel_images.exe

Uses 32bit PE files

Source: parcel_images.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: parcel_images.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains calls to encryption/decryption functions

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/13@8/1

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51CBE AdjustTokenPrivileges,		0_2_04E51CBE
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51C87 AdjustTokenPrivileges,		0_2_04E51C87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0149A AdjustTokenPrivileges,		4_2_05A0149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A01463 AdjustTokenPrivileges,		4_2_05A01463

Creates files inside the program directory

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\parcel_images.exe

File created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
Source: C:\Users\user\Desktop\parcel_images.exe	Mutant created: \Sessions\1\BaseNamedObjects\btYicyWOySdNftvOgyOAHWI

Creates temporary files

Source: C:\Users\user\Desktop\parcel_images.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2412.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: parcel_images.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\parcel_images.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\parcel_images.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: parcel_images.exe	Virustotal: Detection: 47%
Source: parcel_images.exe	ReversingLabs: Detection: 31%

Sample reads its own file content

Source: C:\Users\user\Desktop\parcel_images.exe

File read: C:\Users\user\Desktop\parcel_images.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\parcel_images.exe 'C:\Users\user\Desktop\parcel_images.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\parcel_images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: parcel_images.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

PE file has a big code size

Source: parcel_images.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: parcel_images.exe

Static file information: File size 1350144 > 1048576

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

PE file has a big raw section

Source: parcel_images.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10ee00

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: parcel_images.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack

.NET source code contains potential unpacker

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_003D4419 push es; retf		0_2_003D441C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0100054B pushfd ; retf		0_2_0100054D
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01007581 push esp; retf		0_2_01007582
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01007589 push esp; retf		0_2_0100758A
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010075B8 push ebp; retf		0_2_010075BA
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010075C1 push ebp; retf		0_2_010075C2
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01008C49 push BAFFFFFEh; retn 0001h		0_2_01008C4E
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01008CAE push eax; iretd		0_2_01008CB1
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010037F0 pushad ; retf		0_2_010037F1
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681AE4B push es; iretd		0_2_0681AE4C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06814060 push es; retf		0_2_06814070
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8355F push ebx; retf		0_2_06F83560
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F83D52 pushad ; ret		0_2_06F83D53
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_019174B8 push ebp; ret		4_2_019174B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_019174AC push ecx; ret		4_2_019174AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01919D78 pushad ; retf		4_2_01919D79

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.47102153037
Source: initial sample	Static PE information: section name: .text entropy: 7.47102153037

.NET source code contains many randomly named methods

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs

High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs

High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\parcel_images.exe	File created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match

File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1AR
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1AR&H

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\parcel_images.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\parcel_images.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 418			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 1121			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 459			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 1304			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\parcel_images.exe TID: 6000	Thread sleep time: -31500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe TID: 5988	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2584	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1636	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality to query system information

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4_2_05A011C2 GetSystemInfo,

4_2_05A011C2

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1arELH
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1ar
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: ar#"SOFTWARE\VMware, Inc.\VMware ToolsX1ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWARE|9ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: QEMUX1ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware |9ar
Source: parcel_images.exe, 00000000.00000002.242260159.0000000002CE1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1arEL
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000004.00000002.597587716.00000000015FC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY y
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware|9ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: vmwareX1ar
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: ar&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1arK
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\parcel_images.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\parcel_images.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\parcel_images.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\parcel_images.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\parcel_images.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 1010008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: RegSvcs.exe, 00000004.00000003.290249385.00000000015FC000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
Source: RegSvcs.exe, 00000004.00000002.603364013.0000000003B49000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.602958083.0000000003945000.00000004.00000001.sdmp	Binary or memory string: Program Manager>A0
Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior

Contains functionality to query the account / user name

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4_2_0190AF9A GetUserNameW,

4_2_0190AF9A

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\parcel_images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: parcel_images.exe, 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0292E bind,		4_2_05A0292E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A028FB bind,		4_2_05A028FB