Loading ...

Play interactive tourEdit tour

Analysis Report DHL_file 187652345643476245.exe

Overview

General Information

Sample Name:DHL_file 187652345643476245.exe
Analysis ID:336532
MD5:303e92008ea45abde4fc35d8d176015d
SHA1:29ff646c7c04a2be614bdbe87f73df87add78dda
SHA256:c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
Tags:DHLexeHostwindsNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL_file 187652345643476245.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\DHL_file 187652345643476245.exe' MD5: 303E92008EA45ABDE4FC35D8D176015D)
    • demiusda.exe (PID: 1240 cmdline: 'C:\Users\user\AppData\Roaming\demiusda.exe' MD5: 303E92008EA45ABDE4FC35D8D176015D)
      • AddInProcess32.exe (PID: 1256 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • watchprcss.exe (PID: 5164 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6304 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 5712 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 5404 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 6660 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 5024 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 4076 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6508 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7020 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 476 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 6284 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 1724 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7040 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 3032 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6216 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.160.233", "105.112.113.90"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2f25:$a: NanoCore
    • 0x2f7e:$a: NanoCore
    • 0x2fbb:$a: NanoCore
    • 0x3034:$a: NanoCore
    • 0x166df:$a: NanoCore
    • 0x166f4:$a: NanoCore
    • 0x16729:$a: NanoCore
    • 0x2f1a3:$a: NanoCore
    • 0x2f1b8:$a: NanoCore
    • 0x2f1ed:$a: NanoCore
    • 0x2f87:$b: ClientPlugin
    • 0x2fc4:$b: ClientPlugin
    • 0x38c2:$b: ClientPlugin
    • 0x38cf:$b: ClientPlugin
    • 0x1649b:$b: ClientPlugin
    • 0x164b6:$b: ClientPlugin
    • 0x164e6:$b: ClientPlugin
    • 0x166fd:$b: ClientPlugin
    • 0x16732:$b: ClientPlugin
    • 0x2ef5f:$b: ClientPlugin
    • 0x2ef7a:$b: ClientPlugin
    0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1043d:$x1: NanoCore.ClientPluginHost
    • 0x1047a:$x2: IClientNetworkHost
    • 0x13fad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      17.2.AddInProcess32.exe.5610000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      17.2.AddInProcess32.exe.5610000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 1256, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: AddInProcess32.exe.1256.17.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.160.233", "105.112.113.90"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\demiusda.exeReversingLabs: Detection: 22%
      Multi AV Scanner detection for submitted fileShow sources
      Source: DHL_file 187652345643476245.exeReversingLabs: Detection: 22%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpackAvira: Label: TR/NanoCore.fadte
      Source: 17.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h0_2_02DAEE70
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h0_2_02DAEE62
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h0_2_02DAEE28
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_057AB160
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057A5D80
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057A3E0C
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_057ADEB8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_057A4BC8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057A4BC8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov esp, ebp0_2_057ACAB0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_057AB153
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057A43C5
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_057ADF90
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057A5E60
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_057ADEA8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_057A48A8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057A48A8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_057A489D
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057A489D
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then xor edx, edx0_2_057A4B00
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057A6BFC
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_057A4BBD
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057A4BBD
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then xor edx, edx0_2_057A4AF4
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov esp, ebp0_2_057ACAA1
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0318F636h12_2_0318ED7F
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0318F636h12_2_0318EE63
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h12_2_058890B8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0588868Eh12_2_05888588
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0588868Eh12_2_05888598
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h12_2_058890A8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h12_2_0588921B
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 015E0799h19_2_015E0560
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 015E0799h19_2_015E0553
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 02700799h20_2_02700560
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 02700799h20_2_02700551
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 032E0799h22_2_032E0560
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 032E0799h22_2_032E0552

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 185.157.160.233
      Source: Malware configuration extractorIPs: 105.112.113.90
      Source: global trafficTCP traffic: 192.168.2.3:49724 -> 185.157.160.233:2020
      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 105.112.113.90:2020
      Source: Joe Sandbox ViewIP Address: 185.157.160.233 185.157.160.233
      Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownDNS traffic detected: queries for: annapro.linkpc.net
      Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.307699321.0000000001519000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp:
      Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
      Source: demiusda.exe, 0000000C.00000002.612789504.000000000152A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058843A0 CreateProcessAsUserW,12_2_058843A0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC471C0_2_00BC471C
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA40980_2_02DA4098
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA48000_2_02DA4800
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAA9180_2_02DAA918
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE700_2_02DAEE70
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA9E200_2_02DA9E20
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAF7680_2_02DAF768
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAD7000_2_02DAD700
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DABC400_2_02DABC40
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA7C200_2_02DA7C20
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAA9090_2_02DAA909
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAD6F00_2_02DAD6F0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE620_2_02DAEE62
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA9E100_2_02DA9E10
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE280_2_02DAEE28
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAF7580_2_02DAF758
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DABC300_2_02DABC30
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A87F80_2_057A87F8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A59300_2_057A5930
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057ABA000_2_057ABA00
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AC5200_2_057AC520
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AC5100_2_057AC510
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A536F0_2_057A536F
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A53800_2_057A5380
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A03800_2_057A0380
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A59230_2_057A5923
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AB9F00_2_057AB9F0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AB9B00_2_057AB9B0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03187BB012_2_03187BB0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318A90912_2_0318A909
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318409812_2_03184098
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318F76812_2_0318F768
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03189E1012_2_03189E10
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318D6F012_2_0318D6F0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318ED7F12_2_0318ED7F
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318BC3012_2_0318BC30
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318F75812_2_0318F758
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318EE6312_2_0318EE63
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05880CC812_2_05880CC8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058813F812_2_058813F8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05885B0012_2_05885B00
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0588321012_2_05883210
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058849A812_2_058849A8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058829C712_2_058829C7
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058829D812_2_058829D8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0588255012_2_05882550
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0588256012_2_05882560
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05880CB812_2_05880CB8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883C6012_2_05883C60
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883C7012_2_05883C70
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058813E812_2_058813E8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0588672012_2_05886720
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05885AF012_2_05885AF0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0588320012_2_05883200
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_00B1205017_2_00B12050
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EE47117_2_013EE471
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EE48017_2_013EE480
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EBBD417_2_013EBBD4
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_0557F5F817_2_0557F5F8
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_0557978817_2_05579788
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_0557A60217_2_0557A602
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.310619825.0000000005690000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.307262138.0000000000C66000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309116173.0000000004ED0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exeBinary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: DHL_file 187652345643476245.exe, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: DHL_file 187652345643476245.exe, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: demiusda.exe.0.dr, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: demiusda.exe.0.dr, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.0.demiusda.exe.d50000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 12.0.demiusda.exe.d50000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.demiusda.exe.d50000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@38/25@3/3
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1463e4a3-f6a6-4e08-9907-1283c197d8fd}
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
      Source: DHL_file 187652345643476245.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: DHL_file 187652345643476245.exeReversingLabs: Detection: 22%
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile read: C:\Users\user\Desktop\DHL_file 187652345643476245.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DHL_file 187652345643476245.exe 'C:\Users\user\Desktop\DHL_file 187652345643476245.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: unknown unknownJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: DHL_file 187652345643476245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: DHL_file 187652345643476245.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
      Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000011.00000000.384796017.0000000000B12000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC6DF4 push cs; retf 0_2_00BC6DF5
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC23E0 push esp; retn 0000h0_2_00BC23E1
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC3400 push cs; retf 0_2_00BC3401
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057ADE4B pushad ; ret 0_2_057ADE51
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D53400 push cs; retf 12_2_00D53401
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D56DF4 push cs; retf 12_2_00D56DF5
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D523E0 push esp; retn 0000h12_2_00D523E1
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_055769FA push esp; retf 17_2_05576A01
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_055769F8 pushad ; retf 17_2_055769F9
      Source: watchprcss.exe.12.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: watchprcss.exe.12.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: watchprcss.exe.12.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: watchprcss.exe.12.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: watchprcss.exe.12.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: