Loading ...

Play interactive tourEdit tour

Analysis Report parcel_images.exe

Overview

General Information

Sample Name:parcel_images.exe
Analysis ID:339033
MD5:5f8a97a2c2b464c360a3628c73b88103
SHA1:134af6300df733356a3bd6dbe94f42dbfd2f31d8
SHA256:74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
Tags:exeNanoCoreRATUPS

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • parcel_images.exe (PID: 6068 cmdline: 'C:\Users\user\Desktop\parcel_images.exe' MD5: 5F8A97A2C2B464C360A3628C73B88103)
    • schtasks.exe (PID: 5664 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5420 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 1928 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 576 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5268 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5960 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x14c9d:$x1: NanoCore.ClientPluginHost
  • 0x14cda:$x2: IClientNetworkHost
  • 0x1880d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x14a05:$a: NanoCore
    • 0x14a15:$a: NanoCore
    • 0x14c49:$a: NanoCore
    • 0x14c5d:$a: NanoCore
    • 0x14c9d:$a: NanoCore
    • 0x14a64:$b: ClientPlugin
    • 0x14c66:$b: ClientPlugin
    • 0x14ca6:$b: ClientPlugin
    • 0x14b8b:$c: ProjectData
    • 0x15592:$d: DESCrypto
    • 0x1cf5e:$e: KeepAlive
    • 0x1af4c:$g: LogClientMessage
    • 0x17147:$i: get_Connected
    • 0x158c8:$j: #=q
    • 0x158f8:$j: #=q
    • 0x15914:$j: #=q
    • 0x15944:$j: #=q
    • 0x15960:$j: #=q
    • 0x1597c:$j: #=q
    • 0x159ac:$j: #=q
    • 0x159c8:$j: #=q
    Click to see the 20 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.RegSvcs.exe.5ca0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1646:$x1: NanoCore.ClientPluginHost
    4.2.RegSvcs.exe.5ca0000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1646:$x2: NanoCore.ClientPluginHost
    • 0x1724:$s4: PipeCreated
    • 0x1660:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.5b00000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    4.2.RegSvcs.exe.5b00000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 9 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5420, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\parcel_images.exe' , ParentImage: C:\Users\user\Desktop\parcel_images.exe, ParentProcessId: 6068, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', ProcessId: 5664

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: parcel_images.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeAvira: detection malicious, Label: HEUR/AGEN.1120329
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeReversingLabs: Detection: 31%
    Multi AV Scanner detection for submitted fileShow sources
    Source: parcel_images.exeVirustotal: Detection: 47%Perma Link
    Source: parcel_images.exeReversingLabs: Detection: 31%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: parcel_images.exeJoe Sandbox ML: detected
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpackAvira: Label: TR/NanoCore.fadte
    Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\parcel_images.exeUnpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack
    Source: parcel_images.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: C:\Users\user\Desktop\parcel_images.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
    Source: parcel_images.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then mov esp, ebp

    Networking:

    barindex
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: cldgr.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.3:49713 -> 69.61.59.215:60003
    Source: Joe Sandbox ViewASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS
    Source: unknownDNS traffic detected: queries for: cldgr.duckdns.org
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: parcel_images.exe, 00000000.00000003.222434128.000000000506D000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221895972.0000000005068000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFP
    Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
    Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comh
    Source: parcel_images.exe, 00000000.00000003.216665590.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
    Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/e
    Source: parcel_images.exe, 00000000.00000003.218064819.000000000509D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-n
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp, parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.compe
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krC
    Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlearn
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: parcel_images.exe, 00000000.00000003.216945664.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
    Source: parcel_images.exe, 00000000.00000003.216900726.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comw
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: RegSvcs.exe, 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: parcel_images.exe
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51D8E NtQuerySystemInformation,
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51D54 NtQuerySystemInformation,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A016DA NtQuerySystemInformation,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A0169F NtQuerySystemInformation,
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01000C50
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01001C53
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010000F8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002B08
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01001374
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0100454C
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01003800
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004848
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01000C4D
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004858
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004CA4
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004CA8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002B01
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002F18
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010037F8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004A55
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004E55
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004A58
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004291
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01004298
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01002AA5
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0681208C
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06810D90
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06810530
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0681AC65
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06810D82
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_068105F0
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8CC20
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8E120
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8C500
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8B0E8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8CEA8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8BC98
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8DE78
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8A250
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8A9F8
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8B728
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_01902477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_01917ABE
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03492FA8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_034923A0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03498BB8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_034997B8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03499ACB
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03493850
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349B488
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_034932BB
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349306F
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349A060
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0349987F
    Source: parcel_images.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
    Source: parcel_images.exeBinary or memory string: OriginalFilename vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.240637309.0000000000517000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameG vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.245931889.0000000004E70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.254894264.0000000007340000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs parcel_images.exe
    Source: parcel_images.exe, 00000000.00000002.253585075.0000000006820000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs parcel_images.exe
    Source: parcel_images.exeBinary or memory string: OriginalFilenameG vs parcel_images.exe
    Source: parcel_images.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: parcel_images.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: kWLVXBfTFQKW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@18/13@8/1
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51CBE AdjustTokenPrivileges,
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_04E51C87 AdjustTokenPrivileges,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A0149A AdjustTokenPrivileges,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A01463 AdjustTokenPrivileges,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeFile created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a}
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
    Source: C:\Users\user\Desktop\parcel_images.exeMutant created: \Sessions\1\BaseNamedObjects\btYicyWOySdNftvOgyOAHWI
    Source: C:\Users\user\Desktop\parcel_images.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2412.tmpJump to behavior
    Source: parcel_images.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\parcel_images.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\parcel_images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Users\user\Desktop\parcel_images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    Source: C:\Users\user\Desktop\parcel_images.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\parcel_images.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: parcel_images.exeVirustotal: Detection: 47%
    Source: parcel_images.exeReversingLabs: Detection: 31%
    Source: C:\Users\user\Desktop\parcel_images.exeFile read: C:\Users\user\Desktop\parcel_images.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\parcel_images.exe 'C:\Users\user\Desktop\parcel_images.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\parcel_images.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
    Source: C:\Users\user\Desktop\parcel_images.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
    Source: C:\Users\user\Desktop\parcel_images.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\parcel_images.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
    Source: parcel_images.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: parcel_images.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: parcel_images.exeStatic file information: File size 1350144 > 1048576
    Source: C:\Users\user\Desktop\parcel_images.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
    Source: parcel_images.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10ee00
    Source: parcel_images.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\parcel_images.exeUnpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\parcel_images.exeUnpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack
    .NET source code contains potential unpackerShow sources
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_003D4419 push es; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0100054B pushfd ; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01007581 push esp; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01007589 push esp; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010075B8 push ebp; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010075C1 push ebp; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01008C49 push BAFFFFFEh; retn 0001h
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_01008CAE push eax; iretd
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_010037F0 pushad ; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_0681AE4B push es; iretd
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06814060 push es; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F8355F push ebx; retf
    Source: C:\Users\user\Desktop\parcel_images.exeCode function: 0_2_06F83D52 pushad ; ret
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_019174B8 push ebp; ret
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_019174AC push ecx; ret
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_01919D78 pushad ; retf
    Source: initial sampleStatic PE information: section name: .text entropy: 7.47102153037
    Source: initial sampleStatic PE information: section name: .text entropy: 7.47102153037
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\parcel_images.exeFile created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exeJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1AR
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1AR&H
    Source: C:\Users\user\Desktop\parcel_images.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\parcel_images.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 418
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 1121
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 459
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 1304
    Source: C:\Users\user\Desktop\parcel_images.exe TID: 6000Thread sleep time: -31500s >= -30000s
    Source: C:\Users\user\Desktop\parcel_images.exe TID: 5988Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2584Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1636Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A011C2 GetSystemInfo,
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1arELH
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMWAREX1ar
    Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: ar#"SOFTWARE\VMware, Inc.\VMware ToolsX1ar
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMWARE|9ar
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: QEMUX1ar
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMware |9ar
    Source: parcel_images.exe, 00000000.00000002.242260159.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1arEL
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: RegSvcs.exe, 00000004.00000002.597587716.00000000015FC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY y
    Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMware|9ar
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: vmwareX1ar
    Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmpBinary or memory string: ar&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1arK
    Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\parcel_images.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\parcel_images.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\parcel_images.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\parcel_images.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\parcel_images.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\parcel_images.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
    Source: C:\Users\user\Desktop\parcel_images.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
    Source: C:\Users\user\Desktop\parcel_images.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
    Source: C:\Users\user\Desktop\parcel_images.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
    Source: C:\Users\user\Desktop\parcel_images.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 1010008
    Source: C:\Users\user\Desktop\parcel_images.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
    Source: C:\Users\user\Desktop\parcel_images.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
    Source: RegSvcs.exe, 00000004.00000003.290249385.00000000015FC000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
    Source: RegSvcs.exe, 00000004.00000002.603364013.0000000003B49000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: RegSvcs.exe, 00000004.00000002.602958083.0000000003945000.00000004.00000001.sdmpBinary or memory string: Program Manager>A0
    Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\parcel_images.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0190AF9A GetUserNameW,
    Source: C:\Users\user\Desktop\parcel_images.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: parcel_images.exe, 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
    Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A0292E bind,
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05A028FB bind,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading2Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection312Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection312LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing33/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339033 Sample: parcel_images.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 52 cldgr.duckdns.org 2->52 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 14 other signatures 2->62 9 parcel_images.exe 6 2->9         started        13 RegSvcs.exe 4 2->13         started        15 dhcpmon.exe 4 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\kWLVXBfTFQKW.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\...\tmp2412.tmp, XML 9->48 dropped 50 C:\Users\user\...\parcel_images.exe.log, ASCII 9->50 dropped 66 Detected unpacking (changes PE section rights) 9->66 68 Detected unpacking (overwrites its own PE header) 9->68 70 Writes to foreign memory regions 9->70 72 2 other signatures 9->72 19 RegSvcs.exe 1 13 9->19         started        24 schtasks.exe 1 9->24         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        signatures6 process7 dnsIp8 54 cldgr.duckdns.org 69.61.59.215, 60003 GLOBALCOMPASSUS United States 19->54 42 C:\Users\user\AppData\Roaming\...\run.dat, data 19->42 dropped 44 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->44 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->64 32 schtasks.exe 1 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 24->36         started        file9 signatures10 process11 process12 38 conhost.exe 32->38         started        40 conhost.exe 34->40         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    parcel_images.exe48%VirustotalBrowse
    parcel_images.exe32%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
    parcel_images.exe100%AviraHEUR/AGEN.1120329
    parcel_images.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe100%AviraHEUR/AGEN.1120329
    C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe32%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    4.2.RegSvcs.exe.5cb0000.5.unpack100%AviraTR/NanoCore.fadteDownload File
    4.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    0.2.parcel_images.exe.3d0000.0.unpack100%AviraHEUR/AGEN.1134873Download File
    0.0.parcel_images.exe.3d0000.0.unpack100%AviraHEUR/AGEN.1120329Download File

    Domains

    SourceDetectionScannerLabelLink
    cldgr.duckdns.org5%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.tiro.comw0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/F0%Avira URL Cloudsafe
    http://www.fonts.comh0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/O0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.founder.c0%URL Reputationsafe
    http://www.founder.c0%URL Reputationsafe
    http://www.founder.c0%URL Reputationsafe
    http://www.tiro.comF0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.fontbureau.comFP0%Avira URL Cloudsafe
    http://www.fontbureau.coml10%URL Reputationsafe
    http://www.fontbureau.coml10%URL Reputationsafe
    http://www.fontbureau.coml10%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.fonts.comic0%URL Reputationsafe
    http://www.fonts.comic0%URL Reputationsafe
    http://www.fonts.comic0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.founder.com.cn/cn/e0%Avira URL Cloudsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sandoll.co.krlearn0%Avira URL Cloudsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sandoll.co.krC0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/Y0a0%Avira URL Cloudsafe
    http://www.sajatypeworks.compe0%Avira URL Cloudsafe
    http://www.founder.com.cn/cnl-n0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    cldgr.duckdns.org
    69.61.59.215
    truetrueunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
      high
      http://www.fontbureau.comparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
        high
        http://www.fontbureau.com/designersGparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
          high
          http://www.tiro.comwparcel_images.exe, 00000000.00000003.216900726.000000000507B000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.fontbureau.com/designers/?parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
            high
            http://www.founder.com.cn/cn/bTheparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.jiyu-kobo.co.jp/jp/Fparcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.fontbureau.com/designers?parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
              high
              http://www.fonts.comhparcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.jiyu-kobo.co.jp/Oparcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.tiro.comparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersparcel_images.exe, 00000000.00000003.222434128.000000000506D000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221895972.0000000005068000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmpfalse
                high
                http://www.founder.cparcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.tiro.comFparcel_images.exe, 00000000.00000003.216945664.000000000507B000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.goodfont.co.krparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp/jp/parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.comFPparcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.coml1parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.carterandcone.comlparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.sajatypeworks.comparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.founder.com.cn/cn/parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.typography.netDparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers/cabarga.htmlNparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/cTheparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.galapagosdesign.com/staff/dennis.htmparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://fontfabrik.comparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                    high
                    http://www.fonts.comicparcel_images.exe, 00000000.00000003.216665590.000000000507B000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/Y0/parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp, parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/DPleaseparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers8parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                      high
                      http://www.fonts.comparcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpfalse
                        high
                        http://www.sandoll.co.krparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn/eparcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.urwpp.deDPleaseparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers:parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmpfalse
                          high
                          http://www.zhongyicts.com.cnparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.sandoll.co.krlearnparcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.sakkal.comparcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.sandoll.co.krCparcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/Y0aparcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.sajatypeworks.compeparcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.founder.com.cn/cnl-nparcel_images.exe, 00000000.00000003.218064819.000000000509D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          69.61.59.215
                          unknownUnited States
                          22653GLOBALCOMPASSUStrue

                          General Information

                          Joe Sandbox Version:31.0.0 Red Diamond
                          Analysis ID:339033
                          Start date:13.01.2021
                          Start time:09:43:44
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 10m 18s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:parcel_images.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:40
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@18/13@8/1
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 7.7% (good quality ratio 3.7%)
                          • Quality average: 31%
                          • Quality standard deviation: 38%
                          HCA Information:
                          • Successful, ratio: 88%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                          • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 92.122.144.200, 51.11.168.160, 92.122.213.194, 92.122.213.247, 8.248.139.254, 67.26.81.254, 8.248.113.254, 67.27.157.254, 8.248.135.254, 52.147.198.201, 51.103.5.186, 20.54.26.129, 52.155.217.156
                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:44:44API Interceptor1x Sleep call for process: parcel_images.exe modified
                          09:44:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          09:44:52Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
                          09:44:52API Interceptor1373x Sleep call for process: RegSvcs.exe modified
                          09:44:55Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          GLOBALCOMPASSUSa4588f57322665c795bdf720abc23ffc.exeGet hashmaliciousBrowse
                          • 69.61.52.111
                          Mf1iDAE6bE.exeGet hashmaliciousBrowse
                          • 69.61.52.111
                          Buchung.docGet hashmaliciousBrowse
                          • 69.61.42.251
                          Buchung.docGet hashmaliciousBrowse
                          • 69.61.42.251
                          Buchung.docGet hashmaliciousBrowse
                          • 69.61.42.251
                          P64.exeGet hashmaliciousBrowse
                          • 69.61.38.132
                          http://v.ht/v6GDGet hashmaliciousBrowse
                          • 69.61.26.121

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0712020.exeGet hashmaliciousBrowse
                            JfRbEbUkpV39K4L.exeGet hashmaliciousBrowse
                              DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exeGet hashmaliciousBrowse
                                DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exeGet hashmaliciousBrowse
                                  zC3edqmNNt.exeGet hashmaliciousBrowse
                                    Shipping Document.pdf..exeGet hashmaliciousBrowse
                                      PPR & CPR_HEA_DECEMBER 4 2020.exeGet hashmaliciousBrowse
                                        AdministratorDownloadsBL,.rar.exeGet hashmaliciousBrowse
                                          signed_19272.zip(#U007e18 KB) (2).exeGet hashmaliciousBrowse
                                            TT Swift Copy..,.exeGet hashmaliciousBrowse
                                              Invoice-.exeGet hashmaliciousBrowse
                                                Invoice..,.exeGet hashmaliciousBrowse
                                                  Bank Update Info.exeGet hashmaliciousBrowse
                                                    eLPEEvaFgq6CHTS.exeGet hashmaliciousBrowse
                                                      NR.13346.exeGet hashmaliciousBrowse
                                                        Quote 571189.exeGet hashmaliciousBrowse
                                                          WyLE6g2Vrj.exeGet hashmaliciousBrowse
                                                            SKM_C3350191107102300.exeGet hashmaliciousBrowse
                                                              PO#1709 SHI Pdf.exeGet hashmaliciousBrowse
                                                                DHL SHIPPINC DOCUUMEN....exeGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):3.7515815714465193
                                                                  Encrypted:false
                                                                  SSDEEP:384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
                                                                  MD5:71369277D09DA0830C8C59F9E22BB23A
                                                                  SHA1:37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
                                                                  SHA-256:D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                                                                  SHA-512:2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: 0712020.exe, Detection: malicious, Browse
                                                                  • Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse
                                                                  • Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse
                                                                  • Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse
                                                                  • Filename: zC3edqmNNt.exe, Detection: malicious, Browse
                                                                  • Filename: Shipping Document.pdf..exe, Detection: malicious, Browse
                                                                  • Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse
                                                                  • Filename: AdministratorDownloadsBL,.rar.exe, Detection: malicious, Browse
                                                                  • Filename: signed_19272.zip(#U007e18 KB) (2).exe, Detection: malicious, Browse
                                                                  • Filename: TT Swift Copy..,.exe, Detection: malicious, Browse
                                                                  • Filename: Invoice-.exe, Detection: malicious, Browse
                                                                  • Filename: Invoice..,.exe, Detection: malicious, Browse
                                                                  • Filename: Bank Update Info.exe, Detection: malicious, Browse
                                                                  • Filename: eLPEEvaFgq6CHTS.exe, Detection: malicious, Browse
                                                                  • Filename: NR.13346.exe, Detection: malicious, Browse
                                                                  • Filename: Quote 571189.exe, Detection: malicious, Browse
                                                                  • Filename: WyLE6g2Vrj.exe, Detection: malicious, Browse
                                                                  • Filename: SKM_C3350191107102300.exe, Detection: malicious, Browse
                                                                  • Filename: PO#1709 SHI Pdf.exe, Detection: malicious, Browse
                                                                  • Filename: DHL SHIPPINC DOCUUMEN....exe, Detection: malicious, Browse
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):120
                                                                  Entropy (8bit):5.016405576253028
                                                                  Encrypted:false
                                                                  SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                  MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                  SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                  SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                  SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                  Malicious:false
                                                                  Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):120
                                                                  Entropy (8bit):5.016405576253028
                                                                  Encrypted:false
                                                                  SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                  MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                  SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                  SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                  SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                  Malicious:false
                                                                  Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\parcel_images.exe.log
                                                                  Process:C:\Users\user\Desktop\parcel_images.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):525
                                                                  Entropy (8bit):5.2874233355119316
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                  Malicious:true
                                                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                  C:\Users\user\AppData\Local\Temp\tmp2412.tmp
                                                                  Process:C:\Users\user\Desktop\parcel_images.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1645
                                                                  Entropy (8bit):5.205985051645918
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGtn:cbh47TlNQ//rydbz9I3YODOLNdq3K
                                                                  MD5:46E9E8EC1EFA43B5667F496648C15EAF
                                                                  SHA1:6AE45D320AC09AEA99CA3103C5A46A97B8D3AF3C
                                                                  SHA-256:18E19AB18E0DC61E3076AEBEC9EB5A6C1BD4904B53C767CDECE8E69F4AA5EDAF
                                                                  SHA-512:0FBF69C3FBB651ECC7299AE53EDA9D3DEB1B93DC0CE518B313FAFDBFE1FAC84FD26D0ABE1B984E32897B69CC03598698109DF079385994E0FEF2E186066553D6
                                                                  Malicious:true
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                  C:\Users\user\AppData\Local\Temp\tmpB461.tmp
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1320
                                                                  Entropy (8bit):5.135021273392143
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
                                                                  MD5:40B11EF601FB28F9B2E69D36857BF2EC
                                                                  SHA1:B6454020AD2CEED193F4792B77001D0BD741B370
                                                                  SHA-256:C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
                                                                  SHA-512:E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
                                                                  Malicious:false
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Local\Temp\tmpB81B.tmp
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1310
                                                                  Entropy (8bit):5.109425792877704
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                  Malicious:false
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8
                                                                  Entropy (8bit):3.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:Ot:C
                                                                  MD5:E398E3F1CD99EEB8CA347854BB3BE3C8
                                                                  SHA1:A2AE483FB695B17B260BA64D668C2B45115637AC
                                                                  SHA-256:65FEAEA5580D02F5666021D68C872A98AA2FD31D2279DD9DD3FB57254D2C1058
                                                                  SHA-512:AB38564C16F6152EBD0A8C8F79851962140A74A8F84CDC594CD7ABAF227BD8A493E682DC06D6B2D74D98B7BFD1DD7DFDB70F913D5455AF9DA876E0AEBC468824
                                                                  Malicious:true
                                                                  Preview: ......H
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):57
                                                                  Entropy (8bit):4.795707286467131
                                                                  Encrypted:false
                                                                  SSDEEP:3:oMty8WbSX/MNn:oMLWus
                                                                  MD5:D685103573539B7E9FDBF5F1D7DD96CE
                                                                  SHA1:4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
                                                                  SHA-256:D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
                                                                  SHA-512:17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
                                                                  Malicious:false
                                                                  Preview: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe
                                                                  Process:C:\Users\user\Desktop\parcel_images.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1350144
                                                                  Entropy (8bit):7.4795202963682215
                                                                  Encrypted:false
                                                                  SSDEEP:24576:fuul9wO6Vb1qm/gr5535mQwWdt3XB0zTaZ5VqIuJ:WA9dM1qKgr5N5mQVD3XoaEIuJ
                                                                  MD5:5F8A97A2C2B464C360A3628C73B88103
                                                                  SHA1:134AF6300DF733356A3BD6DBE94F42DBFD2F31D8
                                                                  SHA-256:74995E87513E47357C351F37565A1422202DACE38DC789308D72417B5797B93E
                                                                  SHA-512:2FD1F73C6BD869787347D1BDEA9D535E6ADA26DB2AEBEE0EF9A827D00D76654641A42DDF4763443F9D6181C75D8ED69375E9E52C19B16F50631C56E13382B446
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 32%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0.................. ... ....@.. ....................................@.....................................O.... ..x............................................................................ ............... ..H............text........ ...................... ..`.rsrc...x.... ......................@..@.reloc..............................@..B........................H........k..................x...........................................G.WI`,@..[.t`[SC..8<.X<.J..s..-.....~....k.0.......%..........b..,].4...\.5r4... .k..R.h8tJ_.....e.G .e..e}.3.yU....D......4H.T:..B5.._.J....L..g..~.96...,...........*.Y...I.i8..-...!.^e...*G...r............e.,g.F...Fh.p3E.1.;*..m?...A...I.}..G.p......B..D(.krX..{.?..d.....r.....Qq.b.s....b...U.K..z.S..-7.#...mA`(.....=...../2.}...$.....2{<.%}...pV....b.+3.oL...W~...KHE.*j5...^..+.
                                                                  \Device\ConDrv
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1145
                                                                  Entropy (8bit):4.462201512373672
                                                                  Encrypted:false
                                                                  SSDEEP:24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
                                                                  MD5:46EBEB88876A00A52CC37B1F8E0D0438
                                                                  SHA1:5E5DB352F964E5F398301662FF558BD905798A65
                                                                  SHA-256:D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
                                                                  SHA-512:E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
                                                                  Malicious:false
                                                                  Preview: Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.4795202963682215
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:parcel_images.exe
                                                                  File size:1350144
                                                                  MD5:5f8a97a2c2b464c360a3628c73b88103
                                                                  SHA1:134af6300df733356a3bd6dbe94f42dbfd2f31d8
                                                                  SHA256:74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
                                                                  SHA512:2fd1f73c6bd869787347d1bdea9d535e6ada26db2aebee0ef9a827d00d76654641a42ddf4763443f9d6181c75d8ed69375e9e52c19b16f50631c56e13382b446
                                                                  SSDEEP:24576:fuul9wO6Vb1qm/gr5535mQwWdt3XB0zTaZ5VqIuJ:WA9dM1qKgr5N5mQVD3XoaEIuJ
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0.................. ... ....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:00c2a69c95a3b18a

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x510cee
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x5FFDDBCE [Tue Jan 12 17:26:38 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v2.0.50727
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x110c9c0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x3a778.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x14e0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x10ecf40x10ee00False0.764669618136data7.47102153037IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x1120000x3a7780x3a800False0.758188100962data7.35311799178IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x14e0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x1124000x5d9bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                  RT_ICON0x11819c0x668data
                                                                  RT_ICON0x1188040x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0
                                                                  RT_ICON0x118aec0x1e8data
                                                                  RT_ICON0x118cd40x128GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0x118dfc0xbc4ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                  RT_ICON0x124a4c0xea8data
                                                                  RT_ICON0x1258f40x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14808060, next used block 15528179
                                                                  RT_ICON0x12619c0x6c8data
                                                                  RT_ICON0x1268640x568GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0x126dcc0x106e1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                  RT_ICON0x1374b00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4293322470, next used block 4293322470
                                                                  RT_ICON0x147cd80x25a8data
                                                                  RT_ICON0x14a2800x10a8data
                                                                  RT_ICON0x14b3280x988data
                                                                  RT_ICON0x14bcb00x468GLS_BINARY_LSB_FIRST
                                                                  RT_GROUP_ICON0x14c1180xe6GLS_BINARY_LSB_FIRST
                                                                  RT_VERSION0x14c2000x388data
                                                                  RT_MANIFEST0x14c5880x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright Overwolf 2011 - 2020
                                                                  Assembly Version2.159.0.0
                                                                  InternalNamex.exe
                                                                  FileVersion2.159.0.0
                                                                  CompanyNameOverwolf Ltd.
                                                                  LegalTrademarks
                                                                  CommentsOverwolf Launcher
                                                                  ProductNameOverwolfLauncher
                                                                  ProductVersion2.159.0.0
                                                                  FileDescriptionOverwolfLauncher
                                                                  OriginalFilenamex.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 13, 2021 09:44:54.503850937 CET4971360003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:44:57.607218027 CET4971360003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:03.607698917 CET4971360003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:13.267003059 CET4972060003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:16.265085936 CET4972060003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:22.266592026 CET4972060003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:31.136185884 CET4973260003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:34.125889063 CET4973260003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:40.126391888 CET4973260003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:48.364228010 CET4974560003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:51.377432108 CET4974560003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:45:57.377882957 CET4974560003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:07.698630095 CET4974660003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:10.707190037 CET4974660003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:16.707817078 CET4974660003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:25.805608988 CET4974960003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:28.818238974 CET4974960003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:34.834044933 CET4974960003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:44.508152008 CET4975160003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:47.522659063 CET4975160003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:46:53.538759947 CET4975160003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:01.371797085 CET4975260003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:04.383424997 CET4975260003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:10.383960962 CET4975260003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:21.661951065 CET4976060003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:24.668900967 CET4976060003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:30.685117960 CET4976060003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:39.034679890 CET4976460003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:42.047029972 CET4976460003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:48.045860052 CET4976460003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:55.899095058 CET4976560003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:47:58.890527964 CET4976560003192.168.2.369.61.59.215
                                                                  Jan 13, 2021 09:48:04.891077042 CET4976560003192.168.2.369.61.59.215

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 13, 2021 09:44:34.333743095 CET5754453192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:44:34.381649971 CET53575448.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:44:37.203447104 CET5598453192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:44:37.262717962 CET53559848.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:44:38.185195923 CET6418553192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:44:38.233155012 CET53641858.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:01.545357943 CET6511053192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:01.603347063 CET53651108.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:04.449789047 CET5836153192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:04.497692108 CET53583618.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:10.722126961 CET6349253192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:10.772866011 CET53634928.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:13.894362926 CET6083153192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:13.955360889 CET53608318.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:19.268448114 CET6010053192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:19.328114986 CET53601008.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:23.259563923 CET5319553192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:23.307626963 CET53531958.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:24.156563044 CET5014153192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:24.207159996 CET53501418.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:25.034158945 CET5302353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:25.082011938 CET53530238.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:25.856472969 CET4956353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:25.904483080 CET53495638.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:26.228674889 CET5135253192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:26.285161972 CET53513528.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:26.704996109 CET5934953192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:26.752753973 CET53593498.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:27.869165897 CET5708453192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:27.917099953 CET53570848.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:28.924225092 CET5882353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:28.988331079 CET53588238.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:30.135087967 CET5756853192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:30.183042049 CET53575688.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:31.868583918 CET5054053192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:31.919320107 CET53505408.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:32.754411936 CET5436653192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:32.802298069 CET53543668.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:33.937077999 CET5303453192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:33.984966040 CET53530348.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:34.811177015 CET5776253192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:34.858980894 CET53577628.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:35.070216894 CET5543553192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:35.127886057 CET53554358.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:35.892827988 CET5071353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:35.943481922 CET53507138.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:36.697566986 CET5613253192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:36.748310089 CET53561328.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:37.945439100 CET5898753192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:37.993451118 CET53589878.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:45:48.135365963 CET5657953192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:45:48.361251116 CET53565798.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:46:05.627103090 CET6063353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:06.613348007 CET6063353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:07.640835047 CET6063353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:07.681154013 CET6129253192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:07.697180033 CET53606338.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:46:07.729074955 CET53612928.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:46:08.133135080 CET6361953192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:08.189217091 CET53636198.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:46:24.709707022 CET6493853192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:25.747082949 CET6493853192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:25.803514957 CET53649388.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:46:27.355315924 CET6194653192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:46:27.406039953 CET53619468.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:17.882894039 CET6491053192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:17.939028978 CET53649108.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:18.490910053 CET5212353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:18.550342083 CET53521238.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:19.339732885 CET5613053192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:19.399055004 CET53561308.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:19.786098003 CET5633853192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:19.842426062 CET53563388.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:20.247715950 CET5942053192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:20.306716919 CET53594208.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:20.836133957 CET5878453192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:20.884103060 CET53587848.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:21.355182886 CET6397853192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:21.403188944 CET53639788.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:21.973181009 CET6293853192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:22.032345057 CET53629388.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:22.760703087 CET5570853192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:22.808765888 CET53557088.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:23.188142061 CET5680353192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:23.246738911 CET53568038.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:38.812094927 CET5714553192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:39.034037113 CET53571458.8.8.8192.168.2.3
                                                                  Jan 13, 2021 09:47:55.578761101 CET5535953192.168.2.38.8.8.8
                                                                  Jan 13, 2021 09:47:55.898293972 CET53553598.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Jan 13, 2021 09:45:48.135365963 CET192.168.2.38.8.8.80x87bStandard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:46:05.627103090 CET192.168.2.38.8.8.80x4c82Standard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:46:06.613348007 CET192.168.2.38.8.8.80x4c82Standard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:46:07.640835047 CET192.168.2.38.8.8.80x4c82Standard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:46:24.709707022 CET192.168.2.38.8.8.80xe1e2Standard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:46:25.747082949 CET192.168.2.38.8.8.80xe1e2Standard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:47:38.812094927 CET192.168.2.38.8.8.80x79eStandard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:47:55.578761101 CET192.168.2.38.8.8.80xf082Standard query (0)cldgr.duckdns.orgA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Jan 13, 2021 09:45:48.361251116 CET8.8.8.8192.168.2.30x87bNo error (0)cldgr.duckdns.org69.61.59.215A (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:46:07.697180033 CET8.8.8.8192.168.2.30x4c82No error (0)cldgr.duckdns.org69.61.59.215A (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:46:25.803514957 CET8.8.8.8192.168.2.30xe1e2No error (0)cldgr.duckdns.org69.61.59.215A (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:47:39.034037113 CET8.8.8.8192.168.2.30x79eNo error (0)cldgr.duckdns.org69.61.59.215A (IP address)IN (0x0001)
                                                                  Jan 13, 2021 09:47:55.898293972 CET8.8.8.8192.168.2.30xf082No error (0)cldgr.duckdns.org69.61.59.215A (IP address)IN (0x0001)

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Start time:09:44:36
                                                                  Start date:13/01/2021
                                                                  Path:C:\Users\user\Desktop\parcel_images.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\parcel_images.exe'
                                                                  Imagebase:0x3d0000
                                                                  File size:1350144 bytes
                                                                  MD5 hash:5F8A97A2C2B464C360A3628C73B88103
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  General

                                                                  Start time:09:44:47
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
                                                                  Imagebase:0xd40000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:48
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:48
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:{path}
                                                                  Imagebase:0xfd0000
                                                                  File size:32768 bytes
                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:moderate

                                                                  General

                                                                  Start time:09:44:50
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
                                                                  Imagebase:0xd40000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:50
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:51
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
                                                                  Imagebase:0xd40000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:51
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:52
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
                                                                  Imagebase:0x800000
                                                                  File size:32768 bytes
                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:moderate

                                                                  General

                                                                  Start time:09:44:53
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:55
                                                                  Start date:13/01/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                  Imagebase:0xad0000
                                                                  File size:32768 bytes
                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Antivirus matches:
                                                                  • Detection: 0%, Metadefender, Browse
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:moderate

                                                                  General

                                                                  Start time:09:44:55
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:09:44:59
                                                                  Start date:13/01/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                  Imagebase:0x160000
                                                                  File size:32768 bytes
                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:moderate

                                                                  General

                                                                  Start time:09:44:59
                                                                  Start date:13/01/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >