Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL_file 187652345643476245.exe

Overview

General Information

Sample Name:DHL_file 187652345643476245.exe
Analysis ID:336532
MD5:303e92008ea45abde4fc35d8d176015d
SHA1:29ff646c7c04a2be614bdbe87f73df87add78dda
SHA256:c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
Tags:DHLexeHostwindsNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL_file 187652345643476245.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\DHL_file 187652345643476245.exe' MD5: 303E92008EA45ABDE4FC35D8D176015D)
    • demiusda.exe (PID: 1240 cmdline: 'C:\Users\user\AppData\Roaming\demiusda.exe' MD5: 303E92008EA45ABDE4FC35D8D176015D)
      • AddInProcess32.exe (PID: 1256 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • watchprcss.exe (PID: 5164 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6304 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 5712 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 5404 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 6660 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 5024 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 4076 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6508 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7020 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 476 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 6284 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 1724 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7040 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 3032 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6216 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.160.233", "105.112.113.90"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2f25:$a: NanoCore
    • 0x2f7e:$a: NanoCore
    • 0x2fbb:$a: NanoCore
    • 0x3034:$a: NanoCore
    • 0x166df:$a: NanoCore
    • 0x166f4:$a: NanoCore
    • 0x16729:$a: NanoCore
    • 0x2f1a3:$a: NanoCore
    • 0x2f1b8:$a: NanoCore
    • 0x2f1ed:$a: NanoCore
    • 0x2f87:$b: ClientPlugin
    • 0x2fc4:$b: ClientPlugin
    • 0x38c2:$b: ClientPlugin
    • 0x38cf:$b: ClientPlugin
    • 0x1649b:$b: ClientPlugin
    • 0x164b6:$b: ClientPlugin
    • 0x164e6:$b: ClientPlugin
    • 0x166fd:$b: ClientPlugin
    • 0x16732:$b: ClientPlugin
    • 0x2ef5f:$b: ClientPlugin
    • 0x2ef7a:$b: ClientPlugin
    0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1043d:$x1: NanoCore.ClientPluginHost
    • 0x1047a:$x2: IClientNetworkHost
    • 0x13fad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      17.2.AddInProcess32.exe.5610000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      17.2.AddInProcess32.exe.5610000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 1256, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: AddInProcess32.exe.1256.17.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.160.233", "105.112.113.90"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\demiusda.exeReversingLabs: Detection: 22%
      Multi AV Scanner detection for submitted fileShow sources
      Source: DHL_file 187652345643476245.exeReversingLabs: Detection: 22%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpackAvira: Label: TR/NanoCore.fadte
      Source: 17.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0318F636h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0318F636h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0588868Eh
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0588868Eh
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 015E0799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 015E0799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 02700799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 02700799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 032E0799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 032E0799h

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 185.157.160.233
      Source: Malware configuration extractorIPs: 105.112.113.90
      Source: global trafficTCP traffic: 192.168.2.3:49724 -> 185.157.160.233:2020
      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 105.112.113.90:2020
      Source: Joe Sandbox ViewIP Address: 185.157.160.233 185.157.160.233
      Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownDNS traffic detected: queries for: annapro.linkpc.net
      Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.307699321.0000000001519000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp:
      Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
      Source: demiusda.exe, 0000000C.00000002.612789504.000000000152A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058843A0 CreateProcessAsUserW,
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC471C
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA4098
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA4800
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAA918
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE70
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA9E20
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAF768
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAD700
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DABC40
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA7C20
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAA909
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAD6F0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE62
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA9E10
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE28
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAF758
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DABC30
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A87F8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A5930
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057ABA00
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AC520
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AC510
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A536F
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A5380
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A0380
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A5923
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AB9F0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AB9B0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03187BB0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318A909
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03184098
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318F768
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03189E10
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318D6F0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318ED7F
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318BC30
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318F758
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318EE63
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05880CC8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058813F8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05885B00
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883210
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058849A8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058829C7
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058829D8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05882550
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05882560
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05880CB8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883C60
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883C70
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058813E8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05886720
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05885AF0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883200
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_00B12050
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EE471
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EE480
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EBBD4
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_0557F5F8
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_05579788
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_0557A602
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.310619825.0000000005690000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.307262138.0000000000C66000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309116173.0000000004ED0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exeBinary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: DHL_file 187652345643476245.exe, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: DHL_file 187652345643476245.exe, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: demiusda.exe.0.dr, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: demiusda.exe.0.dr, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.0.demiusda.exe.d50000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 12.0.demiusda.exe.d50000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.demiusda.exe.d50000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@38/25@3/3
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1463e4a3-f6a6-4e08-9907-1283c197d8fd}
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
      Source: DHL_file 187652345643476245.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\demiusda.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: DHL_file 187652345643476245.exeReversingLabs: Detection: 22%
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile read: C:\Users\user\Desktop\DHL_file 187652345643476245.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DHL_file 187652345643476245.exe 'C:\Users\user\Desktop\DHL_file 187652345643476245.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: DHL_file 187652345643476245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: DHL_file 187652345643476245.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
      Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000011.00000000.384796017.0000000000B12000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC6DF4 push cs; retf
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC23E0 push esp; retn 0000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC3400 push cs; retf
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057ADE4B pushad ; ret
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D53400 push cs; retf
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D56DF4 push cs; retf
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D523E0 push esp; retn 0000h
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_055769FA push esp; retf
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_055769F8 pushad ; retf
      Source: watchprcss.exe.12.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: watchprcss.exe.12.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: watchprcss.exe.12.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: watchprcss.exe.12.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: watchprcss.exe.12.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\demiusda.exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\demiusda.exeFile created: C:\Users\user\AppData\Local\Temp\watchprcss.exeJump to dropped file
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnkJump to behavior
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnkJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile opened: C:\Users\user\Desktop\DHL_file 187652345643476245.exe\:Zone.Identifier read attributes | delete
      Source: C:\Users\user\AppData\Roaming\demiusda.exeFile opened: C:\Users\user\AppData\Roaming\demiusda.exe\:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: DHL_file 187652345643476245.exe PID: 6652, type: MEMORY
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\demiusda.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeWindow / User API: threadDelayed 1876
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeWindow / User API: threadDelayed 7966
      Source: C:\Users\user\AppData\Roaming\demiusda.exeWindow / User API: threadDelayed 3323
      Source: C:\Users\user\AppData\Roaming\demiusda.exeWindow / User API: threadDelayed 6449
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 4687
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 4815
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: foregroundWindowGot 717
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6740Thread sleep time: -18446744073709540s >= -30000s
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6740Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6744Thread sleep count: 1876 > 30
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exe TID: 6744Thread sleep count: 7966 > 30
      Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 3340Thread sleep time: -18446744073709540s >= -30000s
      Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 3340Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 1932Thread sleep count: 3323 > 30
      Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 1932Thread sleep count: 6449 > 30
      Source: C:\Users\user\AppData\Roaming\demiusda.exe TID: 3340Thread sleep count: 38 > 30
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 6416Thread sleep time: -11990383647911201s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 5196Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 5856Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 6740Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 3420Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 7060Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 4736Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exe TID: 2992Thread sleep time: -922337203685477s >= -30000s
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: vmware svga
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmp, demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
      Source: watchprcss.exe, 00000013.00000002.413466462.000000000165D000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmp, demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmp, demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: vmusrvc
      Source: watchprcss.exe, 00000024.00000002.510482308.00000000007CE000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy?
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: vmsrvc
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: vmtools
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: demiusda.exe, 0000000C.00000002.623856585.00000000042C9000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
      Source: watchprcss.exe, 0000001D.00000002.458092576.00000000011E8000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: watchprcss.exe, 0000001B.00000002.445196253.0000000000FF3000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.625249638.0000000006B70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\AppData\Roaming\demiusda.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\AppData\Roaming\demiusda.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\AppData\Roaming\demiusda.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
      Source: C:\Users\user\AppData\Roaming\demiusda.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000
      Source: C:\Users\user\AppData\Roaming\demiusda.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 420000
      Source: C:\Users\user\AppData\Roaming\demiusda.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 422000
      Source: C:\Users\user\AppData\Roaming\demiusda.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: DAF008
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.624665686.00000000060AB000.00000004.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.615265072.00000000019C0000.00000002.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.615265072.00000000019C0000.00000002.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: AddInProcess32.exe, 00000011.00000002.615550274.0000000002F52000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: demiusda.exe, 0000000C.00000002.615388938.0000000001B30000.00000002.00000001.sdmp, AddInProcess32.exe, 00000011.00000002.615265072.00000000019C0000.00000002.00000001.sdmp, watchprcss.exe, 00000014.00000002.611533113.0000000001110000.00000002.00000001.sdmp, watchprcss.exe, 00000018.00000002.612048664.0000000001E20000.00000002.00000001.sdmp, watchprcss.exe, 0000001C.00000002.613635496.0000000001EA0000.00000002.00000001.sdmp, watchprcss.exe, 0000001E.00000002.613136260.0000000001420000.00000002.00000001.sdmp, watchprcss.exe, 00000021.00000002.609959478.0000000001320000.00000002.00000001.sdmp, watchprcss.exe, 00000023.00000002.610930688.0000000001C20000.00000002.00000001.sdmp, watchprcss.exe, 00000025.00000002.613887903.0000000001A20000.00000002.00000001.sdmp, watchprcss.exe, 00000027.00000002.612711305.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: AddInProcess32.exe, 00000011.00000002.615550274.0000000002F52000.00000004.00000001.sdmpBinary or memory string: Program Manager@
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeQueries volume information: C:\Users\user\Desktop\DHL_file 187652345643476245.exe VolumeInformation
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\demiusda.exeQueries volume information: C:\Users\user\AppData\Roaming\demiusda.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\demiusda.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\demiusda.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchprcss.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: demiusda.exe, 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1Windows Management InstrumentationStartup Items1Startup Items1Disable or Modify Tools1Input Capture21File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobValid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery12Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Registry Run Keys / Startup Folder2Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Software Packing11NTDSSecurity Software Discovery111Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder2Timestomp1LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion3/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 336532 Sample: DHL_file 187652345643476245.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 7 other signatures 2->62 8 DHL_file 187652345643476245.exe 8 2->8         started        process3 file4 40 C:\Users\user\AppData\Roaming\demiusda.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->42 dropped 44 C:\Users\...\demiusda.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\...\DHL_file 187652345643476245.exe.log, ASCII 8->46 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->64 12 demiusda.exe 5 8->12         started        signatures5 process6 file7 48 C:\Users\user\AppData\...\watchprcss.exe, PE32 12->48 dropped 66 Multi AV Scanner detection for dropped file 12->66 68 Writes to foreign memory regions 12->68 70 Allocates memory in foreign processes 12->70 72 2 other signatures 12->72 16 AddInProcess32.exe 6 12->16         started        20 watchprcss.exe 12->20         started        22 watchprcss.exe 2 12->22         started        24 6 other processes 12->24 signatures8 process9 dnsIp10 50 185.157.160.233, 2020 OBE-EUROPEObenetworkEuropeSE Sweden 16->50 52 annapro.linkpc.net 105.112.113.90, 2020 VNL1-ASNG Nigeria 16->52 38 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 16->38 dropped 54 192.168.2.1 unknown unknown 20->54 26 watchprcss.exe 20->26         started        28 watchprcss.exe 22->28         started        30 watchprcss.exe 24->30         started        32 watchprcss.exe 24->32         started        34 watchprcss.exe 24->34         started        36 3 other processes 24->36 file11 process12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      DHL_file 187652345643476245.exe23%ReversingLabsWin32.Trojan.Pwsx

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\watchprcss.exe0%ReversingLabs
      C:\Users\user\AppData\Roaming\demiusda.exe23%ReversingLabsWin32.Trojan.Pwsx

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      17.2.AddInProcess32.exe.5a80000.6.unpack100%AviraTR/NanoCore.fadteDownload File
      17.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://iptc.tc4xmp:0%Avira URL Cloudsafe
      http://ns.ado/Ident0%Avira URL Cloudsafe
      http://iptc.tc4xmp0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      annapro.linkpc.net
      		105.112.113.90
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://iptc.tc4xmp:DHL_file 187652345643476245.exe, 00000000.00000002.307699321.0000000001519000.00000004.00000040.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ns.ado/Identdemiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://iptc.tc4xmpdemiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        185.157.160.233
        		unknownSweden
        		197595OBE-EUROPEObenetworkEuropeSEtrue
        105.112.113.90
        		unknownNigeria
        		36873VNL1-ASNGfalse

        Private

        IP
        192.168.2.1

        General Information

        Joe Sandbox Version:31.0.0 Red Diamond
        Analysis ID:336532
        Start date:06.01.2021
        Start time:09:25:12
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 14m 53s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:DHL_file 187652345643476245.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:40
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@38/25@3/3
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 3.1% (good quality ratio 2.5%)
        • Quality average: 68.3%
        • Quality standard deviation: 32.5%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.42.151.234, 104.79.90.110, 104.43.193.48, 2.20.142.210, 2.20.142.209, 51.11.168.160, 52.147.198.201, 92.122.213.247, 92.122.213.194, 20.54.26.129, 168.61.161.212, 52.155.217.156
        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        09:26:08API Interceptor214x Sleep call for process: DHL_file 187652345643476245.exe modified
        09:26:11AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnk
        09:26:56API Interceptor182x Sleep call for process: demiusda.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        185.157.160.233DHL_file 187652345643476245.exeGet hashmaliciousBrowse
          DHL_file 187652345643476245.exeGet hashmaliciousBrowse
            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
              DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                  FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                    URGENT QUOTATION 473833057.exeGet hashmaliciousBrowse
                      P-O Doc #6620200947535257653.exeGet hashmaliciousBrowse
                        105.112.113.90DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                          DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                              FedExs AWB#5305323204643.exeGet hashmaliciousBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                annapro.linkpc.netDHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                • 129.205.113.251
                                DHL ShipmentDHL Shipment 237590.pdf.exeGet hashmaliciousBrowse
                                • 129.205.124.172
                                Doc_AWB#5305323204643_UPS.pdf.exeGet hashmaliciousBrowse
                                • 129.205.124.152

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                OBE-EUROPEObenetworkEuropeSEdpR3o92MH1.exeGet hashmaliciousBrowse
                                • 185.157.162.81
                                0qNSJXB8nG.exeGet hashmaliciousBrowse
                                • 185.157.162.81
                                Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                • 185.157.161.86
                                7w7LwD8bqe.exeGet hashmaliciousBrowse
                                • 185.157.162.81
                                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                • 185.157.162.81
                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                • 185.157.162.81
                                ptoovvKZ80.exeGet hashmaliciousBrowse
                                • 185.157.162.81
                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                • 185.157.162.81
                                EnJsj6nuD4.exeGet hashmaliciousBrowse
                                • 185.157.162.81
                                AdviceSlip.xlsGet hashmaliciousBrowse
                                • 217.64.149.169
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                50404868-c352-422f-a608-7fd64b335eec.exeGet hashmaliciousBrowse
                                • 185.157.161.86
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                URGENT QUOTATION 473833057.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                P-O Doc #6620200947535257653.exeGet hashmaliciousBrowse
                                • 185.157.160.233
                                SecuriteInfo.com.Trojan.DownLoader36.26524.23979.exeGet hashmaliciousBrowse
                                • 185.157.160.202
                                VNL1-ASNGDHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                Confirmation Copy RefNo-MT102.exeGet hashmaliciousBrowse
                                • 105.112.102.57
                                FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                                • 105.112.113.90
                                PAYMENT COPY.exeGet hashmaliciousBrowse
                                • 105.112.109.37
                                PO456789.exeGet hashmaliciousBrowse
                                • 105.112.96.12
                                DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                                • 105.112.101.201
                                ibgcrnNmhB.exeGet hashmaliciousBrowse
                                • 105.112.25.130
                                purchase order.exeGet hashmaliciousBrowse
                                • 105.112.25.74
                                packing list.xlsx.exeGet hashmaliciousBrowse
                                • 105.112.69.142
                                9087654.exeGet hashmaliciousBrowse
                                • 105.112.101.151
                                RFQ.exeGet hashmaliciousBrowse
                                • 105.112.100.239
                                LOI.exeGet hashmaliciousBrowse
                                • 105.112.100.239
                                corporate-tax.exeGet hashmaliciousBrowse
                                • 105.112.101.84
                                QUOTATION - COVID 19 PROTECTION SOLUTIONS - final.exeGet hashmaliciousBrowse
                                • 105.112.124.8
                                BDH9YAC4aQ.exeGet hashmaliciousBrowse
                                • 105.112.101.125
                                JBIY8HTthL.exeGet hashmaliciousBrowse
                                • 105.112.101.125
                                late-payment.exeGet hashmaliciousBrowse
                                • 105.112.45.74
                                Doc0_01210_72820.exeGet hashmaliciousBrowse
                                • 105.112.100.246

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSWIFT77266255378434pdf.exeGet hashmaliciousBrowse
                                  SWIFT998775523434pdf.exeGet hashmaliciousBrowse
                                    SWIFT345343445pdf.exeGet hashmaliciousBrowse
                                      Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                        1FXO8fI8R3.exeGet hashmaliciousBrowse
                                          SecuriteInfo.com.Variant.Razy.820883.21352.exeGet hashmaliciousBrowse
                                            SWIFT09775527743pdf.exeGet hashmaliciousBrowse
                                              Pi.exeGet hashmaliciousBrowse
                                                PAYMENT SLIP.EXEGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exeGet hashmaliciousBrowse
                                                    iZLqZLqNgq.exeGet hashmaliciousBrowse
                                                      UVZxk61Vdc.exeGet hashmaliciousBrowse
                                                        gVrKAqVUIw.exeGet hashmaliciousBrowse
                                                          OBJEDNAT- SII40513967MM793333.PDF.exeGet hashmaliciousBrowse
                                                            Lff0xG1Nlb.exeGet hashmaliciousBrowse
                                                              http___auditor3.duckdns.org_ftp.exeGet hashmaliciousBrowse
                                                                SDJ-0488.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.BackDoor.SpyBotNET.25.26343.exeGet hashmaliciousBrowse
                                                                    u4MLkKgbET.exeGet hashmaliciousBrowse
                                                                      YLL6LsHHyL.exeGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_file 187652345643476245.exe.log
                                                                        Process:C:\Users\user\Desktop\DHL_file 187652345643476245.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):1451
                                                                        Entropy (8bit):5.345862727722058
                                                                        Encrypted:false
                                                                        SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                                        MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                                        SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                                        SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                                        SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                                        Malicious:true
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\watchprcss.exe.log
                                                                        Process:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1362
                                                                        Entropy (8bit):5.343186145897752
                                                                        Encrypted:false
                                                                        SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                                                                        MD5:1249251E90A1C28AB8F7235F30056DEB
                                                                        SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                                                                        SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                                                                        SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                                                                        Malicious:false
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                        C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                        Process:C:\Users\user\Desktop\DHL_file 187652345643476245.exe
                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):42080
                                                                        Entropy (8bit):6.2125074198825105
                                                                        Encrypted:false
                                                                        SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                        MD5:F2A47587431C466535F3C3D3427724BE
                                                                        SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                        SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                        SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: SWIFT77266255378434pdf.exe, Detection: malicious, Browse
                                                                        • Filename: SWIFT998775523434pdf.exe, Detection: malicious, Browse
                                                                        • Filename: SWIFT345343445pdf.exe, Detection: malicious, Browse
                                                                        • Filename: Order_1101201918_AUTECH.exe, Detection: malicious, Browse
                                                                        • Filename: 1FXO8fI8R3.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Variant.Razy.820883.21352.exe, Detection: malicious, Browse
                                                                        • Filename: SWIFT09775527743pdf.exe, Detection: malicious, Browse
                                                                        • Filename: Pi.exe, Detection: malicious, Browse
                                                                        • Filename: PAYMENT SLIP.EXE, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exe, Detection: malicious, Browse
                                                                        • Filename: iZLqZLqNgq.exe, Detection: malicious, Browse
                                                                        • Filename: UVZxk61Vdc.exe, Detection: malicious, Browse
                                                                        • Filename: gVrKAqVUIw.exe, Detection: malicious, Browse
                                                                        • Filename: OBJEDNAT- SII40513967MM793333.PDF.exe, Detection: malicious, Browse
                                                                        • Filename: Lff0xG1Nlb.exe, Detection: malicious, Browse
                                                                        • Filename: http___auditor3.duckdns.org_ftp.exe, Detection: malicious, Browse
                                                                        • Filename: SDJ-0488.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.BackDoor.SpyBotNET.25.26343.exe, Detection: malicious, Browse
                                                                        • Filename: u4MLkKgbET.exe, Detection: malicious, Browse
                                                                        • Filename: YLL6LsHHyL.exe, Detection: malicious, Browse
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..
                                                                        C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Process:C:\Users\user\AppData\Roaming\demiusda.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):78336
                                                                        Entropy (8bit):4.369296705546591
                                                                        Encrypted:false
                                                                        SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                                        MD5:0E362E7005823D0BEC3719B902ED6D62
                                                                        SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                                        SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                                        SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.
                                                                        C:\Users\user\AppData\Local\Temp\watchprcss.txt
                                                                        Process:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):57
                                                                        Entropy (8bit):4.705892979822154
                                                                        Encrypted:false
                                                                        SSDEEP:3:ORVVNWXp5cViEaKC5YBEL4NvHn:OzjWXp+NaZ5YBEL49H
                                                                        MD5:6D53BAE6990F1C3A4F4D9729A9F99D73
                                                                        SHA1:AE73ED5B42B48B09A728BC716F690ABDE5EFDE28
                                                                        SHA-256:CAA78D20B309DFB63A791BBEB7396CF8632C02839D432751A670EE233257665B
                                                                        SHA-512:0D326A2AE317E9CDB240334805EFF947D1689DD28E7E1F43C652F284551C49CBFC13E8CD74802CBD8F648EE19AB04AB4F20B2603B710F26CF2BBC9E5BDE1E4B6
                                                                        Malicious:false
                                                                        Preview: 1240..C:\Users\user\AppData\Roaming\demiusda.exe..6216..
                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                        Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                        File Type:ISO-8859 text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8
                                                                        Entropy (8bit):3.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:THt:rt
                                                                        MD5:33EE0B6F6D13E4D20830C3D041CA8765
                                                                        SHA1:E5BF757840F0F7FD17E548BB901B03037AB1DCF8
                                                                        SHA-256:3610AFA3FFB6D11775498D942115542E0A80D0CF644D6DD6849BDD0506095165
                                                                        SHA-512:D682405326C9760E3E8FABD20BF13BBD891B517C11848B9D3DFA183B3C58EA733A1906EFDBF9182880CFA71F7FDD403BF62425CA7212AC3BA06162142FAF1D86
                                                                        Malicious:true
                                                                        Preview: G.Yh..H
                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnk
                                                                        Process:C:\Users\user\Desktop\DHL_file 187652345643476245.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):904
                                                                        Entropy (8bit):3.113531320897441
                                                                        Encrypted:false
                                                                        SSDEEP:12:8wl0jsXou41w/tz0/CSLYhAOwSmIiw/k3qMJ+IiwPgTCNfBT/v4t2Y+xIBjK:8kf4eWLYhAOwJwMtowPVpd7aB
                                                                        MD5:74F0FF8019BFD75A8B5FCAFE358F46AF
                                                                        SHA1:CEE790BEE58C06B1093988D86E1162309435D362
                                                                        SHA-256:7D9DD5D1A15A1F7DD748116AA608DEC866F46CDBF2DE363EBAF16D3D66A23CF3
                                                                        SHA-512:D721D3939EA6F7DA08635B15F95F964E23A885650A66836ACEFC196430D760484007C3D20AC118996BDBA356FA70069318C3B64F81D565230983C6935EA7E4C2
                                                                        Malicious:false
                                                                        Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................h.a.r.d.z.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....f.2...........demiusda.exe..J............................................d.e.m.i.u.s.d.a...e.x.e.............\.....\.....\.....\.....\.d.e.m.i.u.s.d.a...e.x.e.+.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.e.m.i.u.s.d.a...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................
                                                                        C:\Users\user\AppData\Roaming\demiusda.exe
                                                                        Process:C:\Users\user\Desktop\DHL_file 187652345643476245.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):668672
                                                                        Entropy (8bit):5.143006502161217
                                                                        Encrypted:false
                                                                        SSDEEP:6144:plckliODxvkrhDdyquS7xY+R/3HMCX7ehD4Yym6D3V2i7LkuotFN5:p+kliXIqh7x7R/XMKqxvyfFI
                                                                        MD5:303E92008EA45ABDE4FC35D8D176015D
                                                                        SHA1:29FF646C7C04A2BE614BDBE87F73DF87ADD78DDA
                                                                        SHA-256:C4DBEC4C0DF381CEE21C2BA0D6105B0F7310C8F108E66E078DF0AD4803148FB6
                                                                        SHA-512:70996F3C23154F43E7F6443FCEDCF54372660C19FFB57689380450B46C9DBA3AF18B50569380AECB5B3D52C705DC16E48B165F2ECE179BA8671191C5E01EC1CD
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 23%
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....pEC.................(...........G... ...`....@.. ....................................`..................................G..O....`............................................................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$..."......9........5..........................................0.!.dW....U.B{..|..7{f.X.Ye...ri..*.W!dd.K.e....q{..q{.R...Yj..OU#...[.Z.0.rq..ht_1.....XP........U..=...tp.....\MX.]....O..`..\.........ek.<Z.pO.n3_...2.......8....d.{.6i...gXCE.z.....Z+.....t...=.....(.c.N..C...4_...SP#...e.B].......q..]s......E?...jfv[.4......:...e.W.D.sD.............Yq...J..............5.... ..#...........L.......;.......U...<...F8.......*..,S......rj......\)..`....p..
                                                                        C:\Users\user\AppData\Roaming\demiusda.exe:Zone.Identifier
                                                                        Process:C:\Users\user\Desktop\DHL_file 187652345643476245.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Preview: [ZoneTransfer]....ZoneId=0

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):5.143006502161217
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:DHL_file 187652345643476245.exe
                                                                        File size:668672
                                                                        MD5:303e92008ea45abde4fc35d8d176015d
                                                                        SHA1:29ff646c7c04a2be614bdbe87f73df87add78dda
                                                                        SHA256:c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
                                                                        SHA512:70996f3c23154f43e7f6443fcedcf54372660c19ffb57689380450b46c9dba3af18b50569380aecb5b3d52c705dc16e48b165f2ece179ba8671191c5e01ec1cd
                                                                        SSDEEP:6144:plckliODxvkrhDdyquS7xY+R/3HMCX7ehD4Yym6D3V2i7LkuotFN5:p+kliXIqh7x7R/XMKqxvyfFI
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....pEC.................(...........G... ...`....@.. ....................................`................................

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4a47ee
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                        Time Stamp:0x4345708B [Thu Oct 6 18:44:27 2005 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa479c0x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x60a.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xa27f40xa2800False0.505387620192data5.14906503317IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xa60000x60a0x800False0.3427734375data3.60047757985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xa80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_VERSION0xa60a00x380data
                                                                        RT_MANIFEST0xa64200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 1995 :F7C@?H6B:@5A>3@
                                                                        Assembly Version1.0.0.0
                                                                        InternalNameemekaike.exe
                                                                        FileVersion2.3.4.5
                                                                        CompanyName:F7C@?H6B:@5A>3@
                                                                        CommentsFB;I;IG>C=B?C9:7
                                                                        ProductName3F;D9H8B;FJ77<J=5G=3
                                                                        ProductVersion2.3.4.5
                                                                        FileDescription3F;D9H8B;FJ77<J=5G=3
                                                                        OriginalFilenameemekaike.exe

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 6, 2021 09:27:33.786709070 CET497242020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:27:36.895843983 CET497242020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:27:42.911953926 CET497242020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:27:52.137356997 CET497312020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:27:55.140928984 CET497312020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:28:01.147874117 CET497312020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:28:09.603240013 CET497362020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:28:12.664458990 CET497362020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:28:18.665035009 CET497362020192.168.2.3185.157.160.233
                                                                        Jan 6, 2021 09:28:28.262279034 CET497442020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:28:31.369132996 CET497442020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:28:37.369640112 CET497442020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:28:47.495038986 CET497452020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:28:50.636318922 CET497452020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:28:56.732465982 CET497452020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:29:07.716557026 CET497562020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:29:10.729454994 CET497562020192.168.2.3105.112.113.90
                                                                        Jan 6, 2021 09:29:16.729943991 CET497562020192.168.2.3105.112.113.90

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 6, 2021 09:26:07.494633913 CET5062053192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:07.542588949 CET53506208.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:08.740783930 CET6493853192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:08.788851976 CET53649388.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:10.001523018 CET6015253192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:10.049612045 CET53601528.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:14.027250051 CET5754453192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:14.075248957 CET53575448.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:16.293397903 CET5598453192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:16.352514982 CET53559848.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:30.863061905 CET6418553192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:30.922390938 CET53641858.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:41.786823988 CET6511053192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:41.843266964 CET53651108.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:44.343044043 CET5836153192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:44.391012907 CET53583618.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:46.261770010 CET6349253192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:46.320998907 CET53634928.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:48.241674900 CET6083153192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:48.597884893 CET53608318.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:49.298086882 CET6010053192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:49.348786116 CET53601008.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:26:59.944364071 CET5319553192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:26:59.992388010 CET53531958.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:27:02.138602018 CET5014153192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:27:02.197505951 CET53501418.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:27:18.218920946 CET5302353192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:27:18.282691002 CET53530238.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:27:27.543916941 CET4956353192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:27:27.594078064 CET53495638.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:27:35.379808903 CET5135253192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:27:35.436439037 CET53513528.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:27:36.046333075 CET5934953192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:27:36.094225883 CET53593498.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:03.951165915 CET5708453192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:03.998981953 CET53570848.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:08.051258087 CET5882353192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:08.099241972 CET53588238.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:09.367156029 CET5756853192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:09.415255070 CET5054053192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:09.415271044 CET53575688.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:09.489496946 CET53505408.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:12.442214012 CET5436653192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:12.490132093 CET53543668.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:13.524734974 CET5303453192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:13.572575092 CET53530348.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:14.642323971 CET5776253192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:14.690243006 CET53577628.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:16.154258013 CET5543553192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:16.210279942 CET53554358.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:17.323147058 CET5071353192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:17.378025055 CET53507138.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:18.371445894 CET5613253192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:18.422231913 CET53561328.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:19.351128101 CET5898753192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:19.398963928 CET53589878.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:28.048451900 CET5657953192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:28.209052086 CET53565798.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:47.425271988 CET6063353192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:47.481437922 CET53606338.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:52.147876024 CET6129253192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:52.204247952 CET53612928.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:52.717561007 CET6361953192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:52.773730993 CET53636198.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:53.292967081 CET6493853192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:53.349289894 CET53649388.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:54.042546988 CET6194653192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:54.109565973 CET53619468.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:54.566910982 CET6491053192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:54.623078108 CET53649108.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:55.138413906 CET5212353192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:55.197541952 CET53521238.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:55.695528984 CET5613053192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:55.754605055 CET53561308.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:56.330974102 CET5633853192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:56.378962040 CET53563388.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:57.080907106 CET5942053192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:57.137142897 CET53594208.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:28:57.533690929 CET5878453192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:28:57.589957952 CET53587848.8.8.8192.168.2.3
                                                                        Jan 6, 2021 09:29:07.639687061 CET6397853192.168.2.38.8.8.8
                                                                        Jan 6, 2021 09:29:07.695921898 CET53639788.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Jan 6, 2021 09:28:28.048451900 CET192.168.2.38.8.8.80xb75cStandard query (0)annapro.linkpc.netA (IP address)IN (0x0001)
                                                                        Jan 6, 2021 09:28:47.425271988 CET192.168.2.38.8.8.80x3a5cStandard query (0)annapro.linkpc.netA (IP address)IN (0x0001)
                                                                        Jan 6, 2021 09:29:07.639687061 CET192.168.2.38.8.8.80x63cStandard query (0)annapro.linkpc.netA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Jan 6, 2021 09:28:28.209052086 CET8.8.8.8192.168.2.30xb75cNo error (0)annapro.linkpc.net105.112.113.90A (IP address)IN (0x0001)
                                                                        Jan 6, 2021 09:28:47.481437922 CET8.8.8.8192.168.2.30x3a5cNo error (0)annapro.linkpc.net105.112.113.90A (IP address)IN (0x0001)
                                                                        Jan 6, 2021 09:29:07.695921898 CET8.8.8.8192.168.2.30x63cNo error (0)annapro.linkpc.net105.112.113.90A (IP address)IN (0x0001)

                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: DHL_file 187652345643476245.exe PID: 6652 Parent PID: 5636

                                                                        General

                                                                        Start time:09:26:04
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\Desktop\DHL_file 187652345643476245.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\DHL_file 187652345643476245.exe'
                                                                        Imagebase:0xbc0000
                                                                        File size:668672 bytes
                                                                        MD5 hash:303E92008EA45ABDE4FC35D8D176015D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: demiusda.exe PID: 1240 Parent PID: 6652

                                                                        General

                                                                        Start time:09:26:49
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Roaming\demiusda.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Roaming\demiusda.exe'
                                                                        Imagebase:0xd50000
                                                                        File size:668672 bytes
                                                                        MD5 hash:303E92008EA45ABDE4FC35D8D176015D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        Antivirus matches:
                                                                        • Detection: 23%, ReversingLabs
                                                                        Reputation:low

                                                                        Analysis Process: AddInProcess32.exe PID: 1256 Parent PID: 1240

                                                                        General

                                                                        Start time:09:27:26
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:42080 bytes
                                                                        MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                        Antivirus matches:
                                                                        • Detection: 0%, Virustotal, Browse
                                                                        • Detection: 0%, Metadefender, Browse
                                                                        • Detection: 0%, ReversingLabs
                                                                        Reputation:moderate

                                                                        Analysis Process: watchprcss.exe PID: 5164 Parent PID: 1240

                                                                        General

                                                                        Start time:09:27:36
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xe20000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Antivirus matches:
                                                                        • Detection: 0%, ReversingLabs
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 6304 Parent PID: 5164

                                                                        General

                                                                        Start time:09:27:38
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0x200000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 5712 Parent PID: 1240

                                                                        General

                                                                        Start time:09:27:43
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xe40000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 5404 Parent PID: 5712

                                                                        General

                                                                        Start time:09:27:45
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xee0000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 6660 Parent PID: 1240

                                                                        General

                                                                        Start time:09:27:50
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0x940000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 5024 Parent PID: 6660

                                                                        General

                                                                        Start time:09:27:54
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xf30000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 4076 Parent PID: 1240

                                                                        General

                                                                        Start time:09:27:57
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xa80000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 6508 Parent PID: 4076

                                                                        General

                                                                        Start time:09:28:00
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0x4f0000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 7020 Parent PID: 1240

                                                                        General

                                                                        Start time:09:28:03
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xdd0000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 476 Parent PID: 7020

                                                                        General

                                                                        Start time:09:28:06
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0x410000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 6284 Parent PID: 1240

                                                                        General

                                                                        Start time:09:28:10
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xf10000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: watchprcss.exe PID: 1724 Parent PID: 6284

                                                                        General

                                                                        Start time:09:28:16
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xd40000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET

                                                                        Analysis Process: watchprcss.exe PID: 7040 Parent PID: 1240

                                                                        General

                                                                        Start time:09:28:21
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0x90000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET

                                                                        Analysis Process: watchprcss.exe PID: 3032 Parent PID: 7040

                                                                        General

                                                                        Start time:09:28:24
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xa80000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET

                                                                        Analysis Process: watchprcss.exe PID: 7000 Parent PID: 1240

                                                                        General

                                                                        Start time:09:28:29
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0xc30000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET

                                                                        Analysis Process: watchprcss.exe PID: 6216 Parent PID: 7000

                                                                        General

                                                                        Start time:09:28:35
                                                                        Start date:06/01/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\watchprcss.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
                                                                        Imagebase:0x990000
                                                                        File size:78336 bytes
                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >