Loading ...

Play interactive tourEdit tour

Analysis Report parcel_images.exe

Overview

General Information

Sample Name:parcel_images.exe
Analysis ID:339033
MD5:5f8a97a2c2b464c360a3628c73b88103
SHA1:134af6300df733356a3bd6dbe94f42dbfd2f31d8
SHA256:74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
Tags:exeNanoCoreRATUPS

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • parcel_images.exe (PID: 6068 cmdline: 'C:\Users\user\Desktop\parcel_images.exe' MD5: 5F8A97A2C2B464C360A3628C73B88103)
    • schtasks.exe (PID: 5664 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5420 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 1928 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 576 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5268 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5960 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x14c9d:$x1: NanoCore.ClientPluginHost
  • 0x14cda:$x2: IClientNetworkHost
  • 0x1880d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x14a05:$a: NanoCore
    • 0x14a15:$a: NanoCore
    • 0x14c49:$a: NanoCore
    • 0x14c5d:$a: NanoCore
    • 0x14c9d:$a: NanoCore
    • 0x14a64:$b: ClientPlugin
    • 0x14c66:$b: ClientPlugin
    • 0x14ca6:$b: ClientPlugin
    • 0x14b8b:$c: ProjectData
    • 0x15592:$d: DESCrypto
    • 0x1cf5e:$e: KeepAlive
    • 0x1af4c:$g: LogClientMessage
    • 0x17147:$i: get_Connected
    • 0x158c8:$j: #=q
    • 0x158f8:$j: #=q
    • 0x15914:$j: #=q
    • 0x15944:$j: #=q
    • 0x15960:$j: #=q
    • 0x1597c:$j: #=q
    • 0x159ac:$j: #=q
    • 0x159c8:$j: #=q
    Click to see the 20 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.RegSvcs.exe.5ca0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1646:$x1: NanoCore.ClientPluginHost
    4.2.RegSvcs.exe.5ca0000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1646:$x2: NanoCore.ClientPluginHost
    • 0x1724:$s4: PipeCreated
    • 0x1660:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.5b00000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    4.2.RegSvcs.exe.5b00000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 9 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5420, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\parcel_images.exe' , ParentImage: C:\Users\user\Desktop\parcel_images.exe, ParentProcessId: 6068, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', ProcessId: 5664

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: parcel_images.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeAvira: detection malicious, Label: HEUR/AGEN.1120329
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeReversingLabs: Detection: 31%
    Multi AV Scanner detection for submitted fileShow sources
    Source: parcel_images.exeVirustotal: Detection: 47%Perma Link
    Source: parcel_images.exeReversingLabs: Detection: 31%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: parcel_images.exeJoe Sandbox ML: detected
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpackAvira: Label: TR/NanoCore.fadte
    Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\parcel_images.exeUnpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack
    Source: parcel_images.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: C:\Users\user\Desktop\parcel_images.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: parcel_images.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then mov esp, ebp4_2_0349865F

    Networking:

    barindex
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: cldgr.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.3:49713 -> 69.61.59.215:60003
    Source: Joe Sandbox ViewASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS
    Source: unknownDNS traffic detected: queries for: cldgr.duckdns.org
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: parcel_images.exe, 00000000.00000003.222434128.000000000506D000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221895972.0000000005068000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFP
    Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
    Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comh
    Source: parcel_images.exe, 00000000.00000003.216665590.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
    Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/e
    Source: parcel_images.exe, 00000000.00000003.218064819.000000000509D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-n
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp, parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.compe
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krC
    Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlearn
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: parcel_images.exe, 00000000.00000003.216945664.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
    Source: parcel_images.exe, 00000000.00000003.216900726.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comw
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: RegSvcs.exe, 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: parcel_images.exe
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51D8E NtQuerySystemInformation,0_2_04E51D8E
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51D54 NtQuerySystemInformation,0_2_04E51D54
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A016DA NtQuerySystemInformation,4_2_05A016DA
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A0169F NtQuerySystemInformation,4_2_05A0169F
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01000C500_2_01000C50
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01001C530_2_01001C53
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010000F80_2_010000F8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002B080_2_01002B08
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010013740_2_01001374
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0100454C0_2_0100454C
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010038000_2_01003800
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010048480_2_01004848
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01000C4D0_2_01000C4D
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010048580_2_01004858
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004CA40_2_01004CA4
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004CA80_2_01004CA8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002B010_2_01002B01
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002F180_2_01002F18
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010037F80_2_010037F8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004A550_2_01004A55
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004E550_2_01004E55
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004A580_2_01004A58
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010042910_2_01004291
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010042980_2_01004298
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002AA50_2_01002AA5
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0681208C0_2_0681208C
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06810D900_2_06810D90
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_068105300_2_06810530
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0681AC650_2_0681AC65
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06810D820_2_06810D82
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_068105F00_2_068105F0
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8CC200_2_06F8CC20
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8E1200_2_06F8E120
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8C5000_2_06F8C500
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8B0E80_2_06F8B0E8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8CEA80_2_06F8CEA8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8BC980_2_06F8BC98
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8DE780_2_06F8DE78
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8A2500_2_06F8A250
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8A9F80_2_06F8A9F8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8B7280_2_06F8B728
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_019024774_2_01902477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_01917ABE4_2_01917ABE
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03492FA84_2_03492FA8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_034923A04_2_034923A0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03498BB84_2_03498BB8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_034997B84_2_034997B8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03499ACB4_2_03499ACB
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_034938504_2_03493850
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349B4884_2_0349B488
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_034932BB4_2_034932BB
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349306F4_2_0349306F
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349A0604_2_0349A060
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349987F4_2_0349987F
    Source: parcel_images.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeBinary or memory string: OriginalFilename vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.240637309.0000000000517000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameG vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.245931889.0000000004E70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.254894264.0000000007340000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.253585075.0000000006820000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs parcel_images.exe
    Source: parcel_images.exeBinary or memory string: OriginalFilenameG vs parcel_images.exe
    Source: parcel_images.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: parcel_images.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@18/13@8/1
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51CBE AdjustTokenPrivileges,0_2_04E51CBE
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51C87 AdjustTokenPrivileges,0_2_04E51C87
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A0149A AdjustTokenPrivileges,4_2_05A0149A
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A01463 AdjustTokenPrivileges,4_2_05A01463
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeFile created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a}
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
    Source: C:\Users\user\Desktop\parcel_images.exeMutant created: \Sessions\1\BaseNamedObjects\btYicyWOySdNftvOgyOAHWI
    Source: C:\Users\user\Desktop\parcel_images.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2412.tmpJump to behavior
    Source: parcel_images.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\parcel_images.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: parcel_images.exeVirustotal: Detection: 47%
    Source: parcel_images.exeReversingLabs: Detection: 31%
    Source: C:\Users\user\Desktop\parcel_images.exeFile read: C:\Users\user\Desktop\parcel_images.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\parcel_images.exe 'C:\Users\user\Desktop\parcel_images.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\parcel_images.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\parcel_images.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
    Source: parcel_images.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: parcel_images.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: parcel_images.exeStatic file information: File size 1350144 > 1048576
    Source: C:\Users\user\Desktop\parcel_images.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: parcel_images.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10ee00
    Source: parcel_images.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\parcel_images.exeUnpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\parcel_images.exeUnpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack
    .NET source code contains potential unpackerShow sources
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_003D4419 push es; retf 0_2_003D441C
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0100054B pushfd ; retf 0_2_0100054D
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01007581 push esp; retf 0_2_01007582
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01007589 push esp; retf 0_2_0100758A
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010075B8 push ebp; retf 0_2_010075BA
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010075C1 push ebp; retf 0_2_010075C2
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01008C49 push BAFFFFFEh; retn 0001h0_2_01008C4E
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01008CAE push eax; iretd 0_2_01008CB1
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010037F0 pushad ; retf 0_2_010037F1
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0681AE4B push es; iretd 0_2_0681AE4C
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06814060 push es; retf 0_2_06814070
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8355F push ebx; retf 0_2_06F83560
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F83D52 pushad ; ret 0_2_06F83D53
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_019174B8 push ebp; ret 4_2_019174B9
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_019174AC push ecx; ret 4_2_019174AD
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_01919D78 pushad ; retf 4_2_01919D79
    Source: initial sampleStatic PE information: section name: .text entropy: 7.47102153037
    Source: initial sampleStatic PE information: section name: .text entropy: 7.47102153037
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\parcel_images.exeFile created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX