Loading ...

Play interactive tourEdit tour

Analysis Report DHL_file 187652345643476245.exe

Overview

General Information

Sample Name:DHL_file 187652345643476245.exe
Analysis ID:336532
MD5:303e92008ea45abde4fc35d8d176015d
SHA1:29ff646c7c04a2be614bdbe87f73df87add78dda
SHA256:c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
Tags:DHLexeHostwindsNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL_file 187652345643476245.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\DHL_file 187652345643476245.exe' MD5: 303E92008EA45ABDE4FC35D8D176015D)
    • demiusda.exe (PID: 1240 cmdline: 'C:\Users\user\AppData\Roaming\demiusda.exe' MD5: 303E92008EA45ABDE4FC35D8D176015D)
      • AddInProcess32.exe (PID: 1256 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • watchprcss.exe (PID: 5164 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6304 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 5712 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 5404 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 6660 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 5024 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 4076 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6508 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7020 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 476 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 6284 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 1724 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7040 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 3032 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • watchprcss.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • watchprcss.exe (PID: 6216 cmdline: 'C:\Users\user\AppData\Local\Temp\watchprcss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.160.233", "105.112.113.90"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2f25:$a: NanoCore
    • 0x2f7e:$a: NanoCore
    • 0x2fbb:$a: NanoCore
    • 0x3034:$a: NanoCore
    • 0x166df:$a: NanoCore
    • 0x166f4:$a: NanoCore
    • 0x16729:$a: NanoCore
    • 0x2f1a3:$a: NanoCore
    • 0x2f1b8:$a: NanoCore
    • 0x2f1ed:$a: NanoCore
    • 0x2f87:$b: ClientPlugin
    • 0x2fc4:$b: ClientPlugin
    • 0x38c2:$b: ClientPlugin
    • 0x38cf:$b: ClientPlugin
    • 0x1649b:$b: ClientPlugin
    • 0x164b6:$b: ClientPlugin
    • 0x164e6:$b: ClientPlugin
    • 0x166fd:$b: ClientPlugin
    • 0x16732:$b: ClientPlugin
    • 0x2ef5f:$b: ClientPlugin
    • 0x2ef7a:$b: ClientPlugin
    0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1043d:$x1: NanoCore.ClientPluginHost
    • 0x1047a:$x2: IClientNetworkHost
    • 0x13fad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    17.2.AddInProcess32.exe.5a80000.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      17.2.AddInProcess32.exe.5610000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      17.2.AddInProcess32.exe.5610000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 1256, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: AddInProcess32.exe.1256.17.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.160.233", "105.112.113.90"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\demiusda.exeReversingLabs: Detection: 22%
      Multi AV Scanner detection for submitted fileShow sources
      Source: DHL_file 187652345643476245.exeReversingLabs: Detection: 22%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpackAvira: Label: TR/NanoCore.fadte
      Source: 17.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then jmp 02DAF636h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0318F636h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0318F636h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0588868Eh
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 0588868Eh
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 4x nop then jmp 058891E7h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 015E0799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 015E0799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 02700799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 02700799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 032E0799h
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeCode function: 4x nop then jmp 032E0799h

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 185.157.160.233
      Source: Malware configuration extractorIPs: 105.112.113.90
      Source: global trafficTCP traffic: 192.168.2.3:49724 -> 185.157.160.233:2020
      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 105.112.113.90:2020
      Source: Joe Sandbox ViewIP Address: 185.157.160.233 185.157.160.233
      Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
      Source: unknownDNS traffic detected: queries for: annapro.linkpc.net
      Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.307699321.0000000001519000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp:
      Source: demiusda.exe, 0000000C.00000002.615285551.0000000001799000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
      Source: demiusda.exe, 0000000C.00000002.612789504.000000000152A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: AddInProcess32.exe, 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.615389852.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORY
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058843A0 CreateProcessAsUserW,
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC471C
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA4098
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA4800
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAA918
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE70
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA9E20
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAF768
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAD700
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DABC40
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA7C20
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAA909
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAD6F0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE62
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DA9E10
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAEE28
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DAF758
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_02DABC30
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A87F8
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A5930
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057ABA00
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AC520
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AC510
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A536F
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A5380
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A0380
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057A5923
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AB9F0
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057AB9B0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03187BB0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318A909
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03184098
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318F768
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_03189E10
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318D6F0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318ED7F
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318BC30
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318F758
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_0318EE63
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05880CC8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058813F8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05885B00
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883210
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058849A8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058829C7
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058829D8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05882550
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05882560
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05880CB8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883C60
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883C70
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_058813E8
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05886720
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05885AF0
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_05883200
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_00B12050
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EE471
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EE480
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_013EBBD4
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_0557F5F8
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_05579788
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_0557A602
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.310619825.0000000005690000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309186882.0000000004F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.307262138.0000000000C66000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.308442097.0000000003F69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.309116173.0000000004ED0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exe, 00000000.00000002.312320361.00000000085A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_file 187652345643476245.exe
      Source: DHL_file 187652345643476245.exeBinary or memory string: OriginalFilenameemekaike.exeL vs DHL_file 187652345643476245.exe
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.624186822.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000011.00000002.620217311.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.623749902.0000000004231000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.624626944.0000000004DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.624595498.0000000005A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.624416649.0000000004CEA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.607848743.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: AddInProcess32.exe PID: 1256, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: demiusda.exe PID: 1240, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5610000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.5a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: DHL_file 187652345643476245.exe, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: DHL_file 187652345643476245.exe, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: demiusda.exe.0.dr, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: demiusda.exe.0.dr, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.0.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.DHL_file 187652345643476245.exe.bc0000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.0.demiusda.exe.d50000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: 12.0.demiusda.exe.d50000.0.unpack, g0XP/Aq8w.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.demiusda.exe.d50000.0.unpack, Sg6/Tx6.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@38/25@3/3
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1463e4a3-f6a6-4e08-9907-1283c197d8fd}
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
      Source: DHL_file 187652345643476245.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\demiusda.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: DHL_file 187652345643476245.exeReversingLabs: Detection: 22%
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile read: C:\Users\user\Desktop\DHL_file 187652345643476245.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DHL_file 187652345643476245.exe 'C:\Users\user\Desktop\DHL_file 187652345643476245.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeProcess created: C:\Users\user\AppData\Roaming\demiusda.exe 'C:\Users\user\AppData\Roaming\demiusda.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Roaming\demiusda.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\AppData\Local\Temp\watchprcss.exeProcess created: C:\Users\user\AppData\Local\Temp\watchprcss.exe 'C:\Users\user\AppData\Local\Temp\watchprcss.exe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: DHL_file 187652345643476245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: DHL_file 187652345643476245.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
      Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000011.00000000.384796017.0000000000B12000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC6DF4 push cs; retf
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC23E0 push esp; retn 0000h
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_00BC3400 push cs; retf
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeCode function: 0_2_057ADE4B pushad ; ret
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D53400 push cs; retf
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D56DF4 push cs; retf
      Source: C:\Users\user\AppData\Roaming\demiusda.exeCode function: 12_2_00D523E0 push esp; retn 0000h
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_055769FA push esp; retf
      Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 17_2_055769F8 pushad ; retf
      Source: watchprcss.exe.12.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: watchprcss.exe.12.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: watchprcss.exe.12.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: watchprcss.exe.12.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: watchprcss.exe.12.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 17.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 19.2.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 19.0.watchprcss.exe.e20000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 20.2.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 20.0.watchprcss.exe.200000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: 22.0.watchprcss.exe.e40000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\demiusda.exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\demiusda.exeFile created: C:\Users\user\AppData\Local\Temp\watchprcss.exeJump to dropped file
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnkJump to behavior
      Source: C:\Users\user\Desktop\DHL_file 187652345643476245.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnkJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      bar