Analysis Report DHL_file 187652345643476245.exe

Overview

General Information

Sample Name: DHL_file 187652345643476245.exe
Analysis ID: 336532
MD5: 303e92008ea45abde4fc35d8d176015d
SHA1: 29ff646c7c04a2be614bdbe87f73df87add78dda
SHA256: c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
Tags: DHLexeHostwindsNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: AddInProcess32.exe.1256.17.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["185.157.160.233", "105.112.113.90"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\demiusda.exe ReversingLabs: Detection: 22%
Multi AV Scanner detection for submitted file
Source: DHL_file 187652345643476245.exe ReversingLabs: Detection: 22%
Yara detected Nanocore RAT
Source: Yara match File source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
Source: Yara match File source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 17.2.AddInProcess32.exe.5a80000.6.unpack Avira: Label: TR/NanoCore.fadte
Source: 17.2.AddInProcess32.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then jmp 02DAF636h 0_2_02DAEE70
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then jmp 02DAF636h 0_2_02DAEE62
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then jmp 02DAF636h 0_2_02DAEE28
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_057AB160
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_057A5D80
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_057A3E0C
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_057ADEB8
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_057A4BC8
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_057A4BC8
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov esp, ebp 0_2_057ACAB0
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_057AB153
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_057A43C5
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_057ADF90
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_057A5E60
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_057ADEA8
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_057A48A8
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_057A48A8
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_057A489D
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_057A489D
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then xor edx, edx 0_2_057A4B00
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_057A6BFC
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_057A4BBD
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_057A4BBD
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then xor edx, edx 0_2_057A4AF4
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 4x nop then mov esp, ebp 0_2_057ACAA1
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 4x nop then jmp 0318F636h 12_2_0318ED7F
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 4x nop then jmp 0318F636h 12_2_0318EE63
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 4x nop then jmp 058891E7h 12_2_058890B8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 4x nop then jmp 0588868Eh 12_2_05888588
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 4x nop then jmp 0588868Eh 12_2_05888598
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 4x nop then jmp 058891E7h 12_2_058890A8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 4x nop then jmp 058891E7h 12_2_0588921B
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Code function: 4x nop then jmp 015E0799h 19_2_015E0560
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Code function: 4x nop then jmp 015E0799h 19_2_015E0553
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Code function: 4x nop then jmp 02700799h 20_2_02700560
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Code function: 4x nop then jmp 02700799h 20_2_02700551
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Code function: 4x nop then jmp 032E0799h 22_2_032E0560
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Code function: 4x nop then jmp 032E0799h 22_2_032E0552

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.157.160.233
Source: Malware configuration extractor IPs: 105.112.113.90
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49724 -> 185.157.160.233:2020
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 105.112.113.90:2020
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.157.160.233 185.157.160.233
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown DNS traffic detected: queries for: annapro.linkpc.net
Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmp String found in binary or memory: http://iptc.tc4xmp
Source: DHL_file 187652345643476245.exe, 00000000.00000002.307699321.0000000001519000.00000004.00000040.sdmp String found in binary or memory: http://iptc.tc4xmp:
Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmp String found in binary or memory: http://ns.ado/Ident

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: demiusda.exe, 0000000C.00000002.612789504.000000000152A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
Source: Yara match File source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_058843A0 CreateProcessAsUserW, 12_2_058843A0
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_00BC471C 0_2_00BC471C
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DA4098 0_2_02DA4098
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DA4800 0_2_02DA4800
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAA918 0_2_02DAA918
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAEE70 0_2_02DAEE70
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DA9E20 0_2_02DA9E20
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAF768 0_2_02DAF768
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAD700 0_2_02DAD700
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DABC40 0_2_02DABC40
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DA7C20 0_2_02DA7C20
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAA909 0_2_02DAA909
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAD6F0 0_2_02DAD6F0
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAEE62 0_2_02DAEE62
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DA9E10 0_2_02DA9E10
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAEE28 0_2_02DAEE28
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DAF758 0_2_02DAF758
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_02DABC30 0_2_02DABC30
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057A87F8 0_2_057A87F8
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057A5930 0_2_057A5930
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057ABA00 0_2_057ABA00
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057AC520 0_2_057AC520
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057AC510 0_2_057AC510
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057A536F 0_2_057A536F
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057A5380 0_2_057A5380
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057A0380 0_2_057A0380
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057A5923 0_2_057A5923
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057AB9F0 0_2_057AB9F0
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057AB9B0 0_2_057AB9B0
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_03187BB0 12_2_03187BB0
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_0318A909 12_2_0318A909
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_03184098 12_2_03184098
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_0318F768 12_2_0318F768
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_03189E10 12_2_03189E10
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_0318D6F0 12_2_0318D6F0
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_0318ED7F 12_2_0318ED7F
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_0318BC30 12_2_0318BC30
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_0318F758 12_2_0318F758
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_0318EE63 12_2_0318EE63
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05880CC8 12_2_05880CC8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_058813F8 12_2_058813F8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05885B00 12_2_05885B00
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05883210 12_2_05883210
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_058849A8 12_2_058849A8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_058829C7 12_2_058829C7
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_058829D8 12_2_058829D8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05882550 12_2_05882550
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05882560 12_2_05882560
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05880CB8 12_2_05880CB8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05883C60 12_2_05883C60
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05883C70 12_2_05883C70
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_058813E8 12_2_058813E8
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05886720 12_2_05886720
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05885AF0 12_2_05885AF0
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_05883200 12_2_05883200
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_00B12050 17_2_00B12050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_013EE471 17_2_013EE471
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_013EE480 17_2_013EE480
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_013EBBD4 17_2_013EBBD4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_0557F5F8 17_2_0557F5F8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_05579788 17_2_05579788
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_0557A602 17_2_0557A602
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
Sample file is different than original file name gathered from version info
Source: DHL_file 187652345643476245.exe, 00000000.00000002.310619825.0000000005690000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs DHL_file 187652345643476245.exe
Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmp Binary or memory string: originalfilename vs DHL_file 187652345643476245.exe
Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_file 187652345643476245.exe
Source: DHL_file 187652345643476245.exe, 00000000.00000002.307262138.0000000000C66000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_file 187652345643476245.exe
Source: DHL_file 187652345643476245.exe, 00000000.00000002.309116173.0000000004ED0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs DHL_file 187652345643476245.exe
Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_file 187652345643476245.exe
Source: DHL_file 187652345643476245.exe Binary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
Yara signature match
Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: DHL_file 187652345643476245.exe, Sg6/Tx6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: DHL_file 187652345643476245.exe, g0XP/Aq8w.cs Cryptographic APIs: 'CreateDecryptor'
Source: demiusda.exe.0.dr, Sg6/Tx6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: demiusda.exe.0.dr, g0XP/Aq8w.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.0.demiusda.exe.d50000.0.unpack, Sg6/Tx6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 12.0.demiusda.exe.d50000.0.unpack, g0XP/Aq8w.cs Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.demiusda.exe.d50000.0.unpack, Sg6/Tx6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@38/25@3/3
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{1463e4a3-f6a6-4e08-9907-1283c197d8fd}
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: DHL_file 187652345643476245.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DHL_file 187652345643476245.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File read: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_file 187652345643476245.exe 'C:\Users\user\Desktop\DHL_file 187652345643476245.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_file 187652345643476245.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_file 187652345643476245.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000011.00000000.384796017.0000000000B12000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_00BC6DF4 push cs; retf 0_2_00BC6DF5
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_00BC23E0 push esp; retn 0000h 0_2_00BC23E1
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_00BC3400 push cs; retf 0_2_00BC3401
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Code function: 0_2_057ADE4B pushad ; ret 0_2_057ADE51
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_00D53400 push cs; retf 12_2_00D53401
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_00D56DF4 push cs; retf 12_2_00D56DF5
Source: C:\Users\user\AppData\Roaming\demiusda.exe Code function: 12_2_00D523E0 push esp; retn 0000h 12_2_00D523E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_055769FA push esp; retf 17_2_05576A01
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 17_2_055769F8 pushad ; retf 17_2_055769F9
Source: watchprcss.exe.12.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: watchprcss.exe.12.dr, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: watchprcss.exe.12.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: watchprcss.exe.12.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: watchprcss.exe.12.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File created: C:\Users\user\AppData\Roaming\demiusda.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\demiusda.exe File created: C:\Users\user\AppData\Local\Temp\watchprcss.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe File opened: C:\Users\user\Desktop\DHL_file 187652345643476245.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe File opened: C:\Users\user\AppData\Roaming\demiusda.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: DHL_file 187652345643476245.exe PID: 6652, type: MEMORY
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Window / User API: threadDelayed 1876 Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Window / User API: threadDelayed 7966 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Window / User API: threadDelayed 3323 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Window / User API: threadDelayed 6449 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Window / User API: threadDelayed 4687 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Window / User API: threadDelayed 4815 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Window / User API: foregroundWindowGot 717 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6740 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6740 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6744 Thread sleep count: 1876 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6744 Thread sleep count: 7966 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 3340 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 3340 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 1932 Thread sleep count: 3323 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 1932 Thread sleep count: 6449 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 3340 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 6416 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 5196 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 5856 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 6740 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 6708 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 3420 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 7060 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 4736 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 2992 Thread sleep time: -922337203685477s >= -30000s
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: VMware
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: vmware
Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmp, demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: watchprcss.exe, 00000013.00000002.413466462.000000000165D000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmp, demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmp, demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: watchprcss.exe, 00000024.00000002.510482308.00000000007CE000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy?
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: watchprcss.exe, 0000001D.00000002.458092576.00000000011E8000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: watchprcss.exe, 0000001B.00000002.445196253.0000000000FF3000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\demiusda.exe Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\demiusda.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\demiusda.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: DAF008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Process created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Process created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.624665686.00000000060AB000.00000004.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.615265072.00000000019C0000.00000002.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.615265072.00000000019C0000.00000002.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmp Binary or memory string: Progman
Source: AddInProcess32.exe, 00000011.00000002.615550274.0000000002F52000.00000004.00000001.sdmp Binary or memory string: Program Managerx
Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.615265072.00000000019C0000.00000002.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: AddInProcess32.exe, 00000011.00000002.615550274.0000000002F52000.00000004.00000001.sdmp Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Queries volume information: C:\Users\user\Desktop\DHL_file 187652345643476245.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Queries volume information: C:\Users\user\AppData\Roaming\demiusda.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\demiusda.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
Source: Yara match File source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: demiusda.exe, 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
Source: Yara match File source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336532 Sample: DHL_file 187652345643476245.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 7 other signatures 2->62 8 DHL_file 187652345643476245.exe 8 2->8         started        process3 file4 40 C:\Users\user\AppData\Roaming\demiusda.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->42 dropped 44 C:\Users\...\demiusda.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\...\DHL_file 187652345643476245.exe.log, ASCII 8->46 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->64 12 demiusda.exe 5 8->12         started        signatures5 process6 file7 48 C:\Users\user\AppData\...\watchprcss.exe, PE32 12->48 dropped 66 Multi AV Scanner detection for dropped file 12->66 68 Writes to foreign memory regions 12->68 70 Allocates memory in foreign processes 12->70 72 2 other signatures 12->72 16 AddInProcess32.exe 6 12->16         started        20 watchprcss.exe 12->20         started        22 watchprcss.exe 2 12->22         started        24 6 other processes 12->24 signatures8 process9 dnsIp10 50 185.157.160.233, 2020 OBE-EUROPEObenetworkEuropeSE Sweden 16->50 52 annapro.linkpc.net 105.112.113.90, 2020 VNL1-ASNG Nigeria 16->52 38 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 16->38 dropped 54 192.168.2.1 unknown unknown 20->54 26 watchprcss.exe 20->26         started        28 watchprcss.exe 22->28         started        30 watchprcss.exe 24->30         started        32 watchprcss.exe 24->32         started        34 watchprcss.exe 24->34         started        36 3 other processes 24->36 file11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.157.160.233
 unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true
105.112.113.90
 unknown Nigeria
36873 VNL1-ASNG false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
annapro.linkpc.net 105.112.113.90 true