Play interactive tour

Edit tour

Analysis Report Thag3EQkV3.exe

Overview

General Information

Sample Name:	Thag3EQkV3.exe
Analysis ID:	403510
MD5:	46596598ee9fe7c1b4677cbbfe8a00bf
SHA1:	59eae73c4d6519a70f0be2df462af90c8f53a5b0
SHA256:	01049edaf2ce6f350d8309ed530221c8371faac224e408c778beb56c7211df19
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Startup

System is w10x64

Thag3EQkV3.exe (PID: 6416 cmdline: 'C:\Users\user\Desktop\Thag3EQkV3.exe' MD5: 46596598EE9FE7C1B4677CBBFE8A00BF)

powershell.exe (PID: 6620 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Thag3EQkV3.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6740 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6772 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Thag3EQkV3.exe (PID: 6968 cmdline: C:\Users\user\Desktop\Thag3EQkV3.exe MD5: 46596598EE9FE7C1B4677CBBFE8A00BF)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "46cf722b-bc9c-42c9-8cd2-ffe3d266", "Group": "Guestar", "Domain1": "securityveriservers.ddns.net", "Domain2": "securityveriservers.ddns.net", "Port": 1204, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x91afd:$x1: NanoCore.ClientPluginHost 0xc431d:$x1: NanoCore.ClientPluginHost 0x91b3a:$x2: IClientNetworkHost 0xc435a:$x2: IClientNetworkHost 0x9566d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc7e8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x91865:$a: NanoCore 0x91875:$a: NanoCore 0x91aa9:$a: NanoCore 0x91abd:$a: NanoCore 0x91afd:$a: NanoCore 0xc4085:$a: NanoCore 0xc4095:$a: NanoCore 0xc42c9:$a: NanoCore 0xc42dd:$a: NanoCore 0xc431d:$a: NanoCore 0x918c4:$b: ClientPlugin 0x91ac6:$b: ClientPlugin 0x91b06:$b: ClientPlugin 0xc40e4:$b: ClientPlugin 0xc42e6:$b: ClientPlugin 0xc4326:$b: ClientPlugin 0x919eb:$c: ProjectData 0xc420b:$c: ProjectData 0x923f2:$d: DESCrypto 0xc4c12:$d: DESCrypto 0x99dbe:$e: KeepAlive
00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Thag3EQkV3.exe PID: 6416	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe5093:$x1: NanoCore.ClientPluginHost 0x103d7e:$x1: NanoCore.ClientPluginHost 0xe50f4:$x2: IClientNetworkHost 0x103ddf:$x2: IClientNetworkHost 0xea4f9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf846b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1091e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x117156:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Thag3EQkV3.exe PID: 6416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Thag3EQkV3.exe PID: 6416	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Thag3EQkV3.exe PID: 6416	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe4b98:$a: NanoCore 0xe4bb4:$a: NanoCore 0xe4d0f:$a: NanoCore 0xe4d1e:$a: NanoCore 0xe4ff7:$a: NanoCore 0xe5023:$a: NanoCore 0xe5093:$a: NanoCore 0xf4ad5:$a: NanoCore 0xf4ae7:$a: NanoCore 0xf4b23:$a: NanoCore 0x103883:$a: NanoCore 0x10389f:$a: NanoCore 0x1039fa:$a: NanoCore 0x103a09:$a: NanoCore 0x103ce2:$a: NanoCore 0x103d0e:$a: NanoCore 0x103d7e:$a: NanoCore 0x1137c0:$a: NanoCore 0x1137d2:$a: NanoCore 0x11380e:$a: NanoCore 0xe4c3f:$b: ClientPlugin
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Thag3EQkV3.exe.374a970.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Thag3EQkV3.exe.374a970.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Thag3EQkV3.exe.374a970.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Thag3EQkV3.exe.374a970.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.Thag3EQkV3.exe.374a970.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Thag3EQkV3.exe.374a970.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.Thag3EQkV3.exe.374a970.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Thag3EQkV3.exe.374a970.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 3 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Thag3EQkV3.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Thag3EQkV3.exe' , ParentImage: C:\Users\user\Desktop\Thag3EQkV3.exe, ParentProcessId: 6416, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp', ProcessId: 6772

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "46cf722b-bc9c-42c9-8cd2-ffe3d266", "Group": "Guestar", "Domain1": "securityveriservers.ddns.net", "Domain2": "securityveriservers.ddns.net", "Port": 1204, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\dZmzbca.exe

ReversingLabs: Detection: 48%

Multi AV Scanner detection for submitted file

Show sources

Source: Thag3EQkV3.exe	Virustotal: Detection: 42%			Perma Link
Source: Thag3EQkV3.exe	ReversingLabs: Detection: 48%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE

Source: Thag3EQkV3.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Thag3EQkV3.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: \??\C:\Windows\dll\System.pdb source: Thag3EQkV3.exe, 0000000C.00000003.814178189.0000000006C04000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49746 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49749 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49765 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 89.44.9.69:1204
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 89.44.9.69:1204

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: securityveriservers.ddns.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: securityveriservers.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49740 -> 89.44.9.69:1204

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown

DNS traffic detected: queries for: securityveriservers.ddns.net

Source: powershell.exe, 00000003.00000003.812644564.00000000076F6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.810773601.0000000007BE3000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000003.812644564.00000000076F6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.810773601.0000000007BE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000003.812644564.00000000076F6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.810773601.0000000007BE3000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000003.817869139.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro$
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Code function: 0_2_00C5C124
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Code function: 0_2_00C5E560
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Code function: 0_2_00C5E570

Source: Thag3EQkV3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dZmzbca.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Thag3EQkV3.exe, 00000000.00000002.689719709.000000000B5A0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe, 00000000.00000002.686212788.0000000004C90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNT1.dll6 vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe, 00000000.00000003.667389387.000000000BB9D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSuppressMessageAttribute.exe> vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe, 00000000.00000002.681013463.00000000037CF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe, 00000000.00000002.690959767.000000000B690000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe, 00000000.00000002.690959767.000000000B690000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe, 0000000C.00000003.700800427.0000000006B31000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe, 0000000C.00000000.674355381.0000000000E1A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSuppressMessageAttribute.exe> vs Thag3EQkV3.exe
Source: Thag3EQkV3.exe	Binary or memory string: OriginalFilenameSuppressMessageAttribute.exe> vs Thag3EQkV3.exe

Source: Thag3EQkV3.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/23@14/2

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

File created: C:\Users\user\AppData\Roaming\dZmzbca.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Mutant created: \Sessions\1\BaseNamedObjects\kWwRzclrksXLKVpkgQLf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{46cf722b-bc9c-42c9-8cd2-ffe3d266cecd}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8204.tmp

Jump to behavior

Source: Thag3EQkV3.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Thag3EQkV3.exe	Virustotal: Detection: 42%
Source: Thag3EQkV3.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

File read: C:\Users\user\Desktop\Thag3EQkV3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Thag3EQkV3.exe 'C:\Users\user\Desktop\Thag3EQkV3.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Thag3EQkV3.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Users\user\Desktop\Thag3EQkV3.exe C:\Users\user\Desktop\Thag3EQkV3.exe
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Thag3EQkV3.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Users\user\Desktop\Thag3EQkV3.exe C:\Users\user\Desktop\Thag3EQkV3.exe

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Thag3EQkV3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Thag3EQkV3.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Thag3EQkV3.exe

Static file information: File size 1311744 > 1048576

Source: Thag3EQkV3.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117e00

Source: Thag3EQkV3.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: \??\C:\Windows\dll\System.pdb source: Thag3EQkV3.exe, 0000000C.00000003.814178189.0000000006C04000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Thag3EQkV3.exe, KatmanliMimari/EventRegistration.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dZmzbca.exe.0.dr, KatmanliMimari/EventRegistration.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Thag3EQkV3.exe.2b0000.0.unpack, KatmanliMimari/EventRegistration.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Thag3EQkV3.exe.2b0000.0.unpack, KatmanliMimari/EventRegistration.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.Thag3EQkV3.exe.cf0000.0.unpack, KatmanliMimari/EventRegistration.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample	Static PE information: section name: .text entropy: 7.17004938449
Source: initial sample	Static PE information: section name: .text entropy: 7.17004938449

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

File created: C:\Users\user\AppData\Roaming\dZmzbca.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

File opened: C:\Users\user\Desktop\Thag3EQkV3.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2904
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3843
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3389
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3915
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3154
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Window / User API: threadDelayed 5016
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Window / User API: threadDelayed 2808
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Window / User API: foregroundWindowGot 579
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Window / User API: foregroundWindowGot 556

Source: C:\Users\user\Desktop\Thag3EQkV3.exe TID: 6420	Thread sleep time: -102617s >= -30000s
Source: C:\Users\user\Desktop\Thag3EQkV3.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6560	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6560	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884	Thread sleep count: 3843 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7072	Thread sleep count: 57 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884	Thread sleep count: 3389 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1664	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052	Thread sleep count: 3915 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052	Thread sleep count: 3154 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7156	Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1372	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1372	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\Thag3EQkV3.exe TID: 5980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Thag3EQkV3.exe TID: 5924	Thread sleep time: -540000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Thread delayed: delay time: 102617
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Thread delayed: delay time: 922337203685477

Source: Thag3EQkV3.exe, 00000000.00000003.667452611.000000000BB71000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000003.00000003.887545117.0000000004CE9000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.884811864.0000000005398000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.902675042.00000000051BC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Thag3EQkV3.exe, 00000000.00000003.667452611.000000000BB71000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareC253FA6UWin32_VideoController2TDODNGRVideoController120060621000000.000000-00004064029display.infMSBDAAESBBGWWPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsOBTG_G32
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: #l"SOFTWARE\VMware, Inc.\VMware Tools
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Thag3EQkV3.exe, 00000000.00000003.667452611.000000000BB71000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareC253FA6UWin32_VideoController2TDODNGRVideoController120060621000000.000000-00004064029display.inf
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: powershell.exe, 00000003.00000003.887545117.0000000004CE9000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.884811864.0000000005398000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.902675042.00000000051BC000.00000004.00000001.sdmp	Binary or memory string: #l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: #l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Thag3EQkV3.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Thag3EQkV3.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Thag3EQkV3.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Process created: C:\Users\user\Desktop\Thag3EQkV3.exe C:\Users\user\Desktop\Thag3EQkV3.exe

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Users\user\Desktop\Thag3EQkV3.exe VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Users\user\Desktop\Thag3EQkV3.exe VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\Thag3EQkV3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Thag3EQkV3.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Thag3EQkV3.exe, 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Thag3EQkV3.exe, 0000000C.00000003.700800427.0000000006B31000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Thag3EQkV3.exe PID: 6416, type: MEMORY
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Thag3EQkV3.exe.374a970.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Scheduled Task/Job1	Process Injection11	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools11	LSASS Memory	Security Software Discovery321	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Virtualization/Sandbox Evasion131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing11	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Thag3EQkV3.exe	43%	Virustotal		Browse
Thag3EQkV3.exe	12%	Metadefender		Browse
Thag3EQkV3.exe	48%	ReversingLabs	Win32.Infostealer.Racealer

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\dZmzbca.exe	12%	Metadefender		Browse
C:\Users\user\AppData\Roaming\dZmzbca.exe	48%	ReversingLabs	Win32.Infostealer.Racealer

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
securityveriservers.ddns.net	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://go.micro$	0%	Avira URL Cloud	safe
securityveriservers.ddns.net	2%	Virustotal		Browse
securityveriservers.ddns.net	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
securityveriservers.ddns.net	89.44.9.69	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
securityveriservers.ddns.net	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://go.micro$	powershell.exe, 00000005.00000003.817869139.000000000555E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000003.812644564.00000000076F6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.810773601.0000000007BE3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000003.812644564.00000000076F6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.810773601.0000000007BE3000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000003.812644564.00000000076F6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.810773601.0000000007BE3000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Thag3EQkV3.exe, 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.44.9.69	securityveriservers.ddns.net	Romania		9009	M247GB	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403510
Start date:	04.05.2021
Start time:	06:51:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Thag3EQkV3.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/23@14/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 37% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 92.122.145.220, 13.88.21.125, 20.50.102.62, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 20.190.160.73, 20.190.160.136, 20.190.160.75, 20.190.160.2, 20.190.160.4, 20.190.160.6, 20.190.160.134, 20.190.160.69 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:52:21	API Interceptor	945x Sleep call for process: Thag3EQkV3.exe modified
06:53:18	API Interceptor	191x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	4DFwAlmW1K.exe	Get hash	malicious	Browse	217.138.219.135
	PO 105008.exe	Get hash	malicious	Browse	89.238.188.232
	M3f3pIfDgg.dll	Get hash	malicious	Browse	83.97.20.126
	valuePasteList.dll	Get hash	malicious	Browse	83.97.20.126
	YKvq2yv61s.exe	Get hash	malicious	Browse	172.111.153.139
	6c9e4dd7_by_Libranalysis.exe	Get hash	malicious	Browse	172.111.153.139
	hsCNXH5WfPktCMH.exe	Get hash	malicious	Browse	217.138.212.58
	24032130395451.pdf .exe	Get hash	malicious	Browse	217.138.219.123
	TPE-CHESTERFIELD, MI 48051 (DDP)#U99ff#U5f975008.exe	Get hash	malicious	Browse	188.72.124.143
	BsqYZjzDe2.exe	Get hash	malicious	Browse	38.132.99.156
	m1WOP5oC15Xaepo.exe	Get hash	malicious	Browse	217.138.212.58
	RgEfFMWH7mMuuke.exe	Get hash	malicious	Browse	217.138.212.58
	Freight Return Document Receipt-Shipment042122_pdf.exe	Get hash	malicious	Browse	195.206.105.10
	Bloomberg BNA Invoice Enclosed 09847679531.xls	Get hash	malicious	Browse	89.40.206.121
	7mB68AZqJs.exe	Get hash	malicious	Browse	217.138.219.123
	35742.exe	Get hash	malicious	Browse	45.141.152.18
	A0R0T8clkq.exe	Get hash	malicious	Browse	38.132.99.156
	Balancepayment-PDF.exe	Get hash	malicious	Browse	45.141.152.18
	a7cQje0wGxiZkwL.exe	Get hash	malicious	Browse	217.138.212.58
	548235.exe	Get hash	malicious	Browse	45.141.152.18

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Thag3EQkV3.exe.log Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.996142136926143
Encrypted:	false
SSDEEP:	384:4NXp5K3EJOdBSib4fdVoGIpN6KQkj2mYoH78kjh4iUx/:4NZs3EJOdBUV3IpNBQkj2mYoH7Vh4iUF
MD5:	4289DB95A6CDB207BA517F49C4A24D05
SHA1:	548752FCAA6FF477FCA724F04809A43692B29026
SHA-256:	D8BEF607E5237F2BDF202D39986BE376BCCFDE2AEA8DD6226E7CA2D70380FF03
SHA-512:	B356277C639B39CA04ADD0BBE0087AFEADD617696F4ACE67AE5E008CD7B65AC681ECFC65BD3DD8061FC292D53FB959672F15EDF21F3DDFA2CB5EA0CC1A63BD9E
Malicious:	false
Reputation:	low
Preview:	PSMODULECACHE.............a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider................Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepo

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22312
Entropy (8bit):	5.587388291742761
Encrypted:	false
SSDEEP:	384:ttCD70Fz/zj2/r3YSBKnyultIaTbWFQ9QDZ1ReR21pMrmIZ+AV7S/Lvj5rkI+C0:L72/DY4KyultzTSC9M1Re1dftP
MD5:	754C024678ED1CDF33F3B5803B50C98D
SHA1:	C2A79BAD448EE0C910B6601E48779287A622525B
SHA-256:	2EA18101D538A33919657002B055AF4E57B29CE5452C53350827E91FE1F33853
SHA-512:	354F14CEC24C32828FBA8847E131CFF7014BE67A667FF8CA17E343EE670CE9D58145559FC42EEC8367FEB7E1EEE09D3C8146D99881D64D14C26C54D8B98352D4
Malicious:	false
Preview:	@...e.................................G.5............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hrep33y.yqe.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f12zqadg.xi1.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktivmfxo.eba.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgu1nmop.ph5.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvwwrcl4.q0o.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wajlphlf.nmw.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp8204.tmp Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.179180318880331
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGNtn:cbhK79lNQR/rydbz9I3YODOLNdq3u
MD5:	D14D27982BB1E341E6C76DF133118CBA
SHA1:	019EB713294FE92A16AFBB02D6D04163C765038A
SHA-256:	70BB25C92FD640D49AB95670C5CAC956B1F547B9DE926E7F8AE6BE3D5C135797
SHA-512:	1046D6DE61AA44586CBF2D822132756FD9CDA4A64CCC4DD3925BD7995DD23D96C259286647227BEF8C795F95E5AA728D1F2B52872BFA65D8227D635C7965270E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	data
Category:	dropped
Size (bytes):	1944
Entropy (8bit):	7.002255904801018
Encrypted:	false
SSDEEP:	48:Ik/l4qk/l4qk/l4qk/l4qk/l4qk/l4qk/l4qk/l4qk/l4x:flglglglglglglglglE
MD5:	F15D8A964EB90E425BE1A8D14737C261
SHA1:	EE64B9095C84589881EDD4A317280FC461360209
SHA-256:	F68636A717CDEEF69EA7AC43F1FC96DE8010565A16840C0B9924D27560E07BF4
SHA-512:	DFC56338D3E813FF0473DE54E4C5AC56810936E086DADE9FC7803C0536A79310D50967F65B47FD3F55EB2E62F3B6035CF6DF89DB9CF3294C64688EBF0A974AFB
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}....N.xp...(..S.,......7..<......5....B....s...Si...a..RP..m:....:.J.\.. =-X.?..Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}....N.xp...(..S.,......7..<......5....B....s...Si...a..RP..m:....:.J.\.. =-X.?..Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}....N.xp...(..S.,......7..<......5....B....s...Si...a..RP..m:....:.J.\.. =-X.?..Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}....N.xp...(..S.,......7..<......5....B....s...Si...a..RP..m:....:.J.\.. =-X.?..Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}....

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:xr8n:xr8
MD5:	5E22D59515A7D7900E9D95C1C71BEAE6
SHA1:	ADA625A0478EB2762E67565523C833ED8306D5B6
SHA-256:	7BB7A7DAFCB215094BF61420BBC13BE7519DA99902B968BF9D124D56CA16C987
SHA-512:	18BC7F318674BEF1C94E19AA6D542C739140944B569B921942F178E3D14AEAE57BC5FF8510C13D395D6B504DEA2804227081C70A3BD5210BF9835F431174313F
Malicious:	true
Preview:	...l...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	data
Category:	dropped
Size (bytes):	297592
Entropy (8bit):	7.999366200245906
Encrypted:	true
SSDEEP:	6144:b23o8kGKvpIJIA9PT4kFq4Bm5Tb9dfoCjKjpdHUz5QGPqxjQ3VxsnnUC+GeNIa:58kLp9YPT4ks7TOCWjpd0zWrGS8X
MD5:	27C5226E10AC55C8A6CEA5328C87F82A
SHA1:	25A1EDE5EA110A07BCCD617C233277614AEF93D1
SHA-256:	6C2E803D5ABEC40BC313078A3A8F319D24F3975ACC04F39A47852B5F9AA12117
SHA-512:	62522485FC3BE164394673627BD52AE6CC81B6A151F05102630761DFE81E2F40CB04F0FF938DA9B4C5A75A95D628EAE25D106509BCFF415A98FA706AE1031A28
Malicious:	false
Preview:	..v.6....u.........3....N..Ot.c........./+.6.)..........W...........:-....;B?e..oh9.] .\|......1.x..\|...0i..8^..A..5.49.>;........\..a..e%r..mDARGgSr..~..t.\|w..l...>L..0lz.$/.......l..$.A.....c.rtJ.b..@...vJ........0...n%...@$.SV..7..P..j.a.'){...n;..5G!.ww....qQ....o.m.....z....t..<....%lQN..?>Lg..`.....U;z}{..T.u=/<&qO,...)..L...j3...f,.......y..l..b.......Q..g..RKu^$.1`d.u.>h..!/4..+...3...3.9....:...f..ZP...z8=..!.....1..;{N.C.....3~.S{5...\|.;Y....5..T.{9.I..J..K..enX....z..U.VNR.cihV...A.o..n....?"...a.1....q.7.f....p.JE.....`....F.....".Ir?........8ZP.j.&;.....FT.D...s...`N..".BAM.....4..xY,.F....k#......~...U..}.^.a..%........0..C.....B.O..8..@...T.....{.......S..f...W.?.O9..R>.e...K..N.c.n....<..nR1...tW.....N=...a.. .,%%\.U([..+.k.B..Uy...=.]L.~"y...?.. ...Y....2B4..<...xa....1(...~l...t..D.)x..u...k.....L...5U....-b.h.u.;..?.......{./............. ....a...,U....1<..../.;E....t....Ju1..Oy ........n.nUp.O.m...OG.#.....

C:\Users\user\AppData\Roaming\dZmzbca.exe Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1311744
Entropy (8bit):	7.035004480483992
Encrypted:	false
SSDEEP:	12288:eDyZy/oX9DtB9lovcsB4AGbIkDH3CPKkm2QoktltFFxiHC6gQLPqSE:AyZy6DnpsBHa6KP+gtfxOTPqN
MD5:	46596598EE9FE7C1B4677CBBFE8A00BF
SHA1:	59EAE73C4D6519A70F0BE2DF462AF90C8F53A5B0
SHA-256:	01049EDAF2CE6F350D8309ED530221C8371FAAC224E408C778BEB56C7211DF19
SHA-512:	960951EB58367493640E5363B40E33AA24F39A195B54F26D36E11DBBC89DF618223AF6FFF7B641C5E7441C73A18705C263CE3A97F2D4A4D2EA6405B54276A2E7
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 12%, Browse Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`..............0..~............... ........@.. .......................`............@.................................D...O.......T....................@....................................................... ............... ..H............text....}... ...~.................. ..`.rsrc...T...........................@..@.reloc.......@......................@..B................x.......H.......L...8l............................................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....".(.......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}........0..u.........{.........,..{....o.........,...{....o.......{.....+;...(%...s....}.....{....o.........,...{....o.......{....

C:\Users\user\AppData\Roaming\dZmzbca.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Thag3EQkV3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210504\PowerShell_transcript.928100.0l+IhawI.20210504065226.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5777
Entropy (8bit):	5.402523674305656
Encrypted:	false
SSDEEP:	96:BZujGNOqDo1Z1ZijGNOqDo1ZidLVjZxjGNOqDo1ZnYlljZ4:I
MD5:	AE80BB0969755834B22C49E2710C1879
SHA1:	5E4D56A8ED215622758F13EF4FF40EE49B94667A
SHA-256:	6D1D5D8D917C8AF594DD6C5B2D914F90B619CD5F4EC9452E455092FEDC4F19FB
SHA-512:	31B8BD4451D13897FF81A3EA100AEE50FBD42868C64A47660BAEFBADF1735EE80900F59E38997995F4D7CB6C3727B646DC94B59C374BD52FDF8A9A56AAEE6EC7
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210504065256..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\dZmzbca.exe..Process ID: 6740..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210504065256..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\dZmzbca.exe..********************..Windows PowerShell transcript start..Start time: 20210504065843..Username: computer\user..RunAs User: computer\user..Con

C:\Users\user\Documents\20210504\PowerShell_transcript.928100.pjNT44Nw.20210504065226.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5733
Entropy (8bit):	5.39470775499149
Encrypted:	false
SSDEEP:	96:BZCjGNhqDo1ZIZTjGNhqDo1ZVYuAjZgjGNhqDo1ZI9QQrTZBq:u
MD5:	3AFDFFF2BA546E1410B6BA47B9435731
SHA1:	96FC4BCE1BA6E26C8EB5608BDEF077F3E3D5B285
SHA-256:	773E323B92C6F78BB31EB941A8E7C80B18276A7611F88310B5AC8900DFA8EBBB
SHA-512:	C21914E26ED1885A2E140C03BE7AF010779053FB17DCC04CABA8FBCA123FC652471CCAC1294745BCBCFC9708DE5049E0100ADF6F5FFC463AAEFB3D959B6D407D
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210504065252..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Thag3EQkV3.exe..Process ID: 6620..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210504065253..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Thag3EQkV3.exe..********************..Windows PowerShell transcript start..Start time: 20210504070206..Username: computer\user..RunAs User: computer\user..Configuration

C:\Users\user\Documents\20210504\PowerShell_transcript.928100.v0ZiGqw1.20210504065230.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5777
Entropy (8bit):	5.399592740502258
Encrypted:	false
SSDEEP:	96:BZnjGNQqDo1ZeZ2jGNQqDo1Z+dLVjZ8jGNQqDo1ZEYllrZc:A
MD5:	09A6D1ABE1086CECD57807AFC96A0203
SHA1:	7D7A2726E2F54C62C88C4957FC4EDB106CDECC29
SHA-256:	6827BA8FAE92650D3A7D1D91EDD8D1022C089DEAE3A985658BF736882A30FB6F
SHA-512:	09671B1FAE168F2B66E95A2F42D09F54E75AFC7A05FFE2416C74C9003950A31D5C3FBBA9628E637509B9B0798EC56E5E61B9AC68F116816F81B6EAB528EFF4AF
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210504065309..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\dZmzbca.exe..Process ID: 6948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210504065310..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\dZmzbca.exe..********************..Windows PowerShell transcript start..Start time: 20210504070434..Username: computer\user..RunAs User: computer\user..Con

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.035004480483992
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Thag3EQkV3.exe
File size:	1311744
MD5:	46596598ee9fe7c1b4677cbbfe8a00bf
SHA1:	59eae73c4d6519a70f0be2df462af90c8f53a5b0
SHA256:	01049edaf2ce6f350d8309ed530221c8371faac224e408c778beb56c7211df19
SHA512:	960951eb58367493640e5363b40e33aa24f39a195b54f26d36e11dbbc89df618223af6fff7b641c5e7441c73a18705c263ce3a97f2d4a4d2ea6405b54276a2e7
SSDEEP:	12288:eDyZy/oX9DtB9lovcsB4AGbIkDH3CPKkm2QoktltFFxiHC6gQLPqSE:AyZy6DnpsBHa6KP+gtfxOTPqN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..~............... ........@.. .......................`............@................................

File Icon


Icon Hash:	d2d2d2f2f2d2cad2

Static PE Info

General
Entrypoint:	0x519d96
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608BDEB0 [Fri Apr 30 10:40:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x119d44	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11a000	0x28054	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x117d9c	0x117e00	False	0.615071251117	data	7.17004938449	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x11a000	0x28054	0x28200	False	0.196596329829	data	5.52128689383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x144000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x11a280	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x12aaa8	0x94a8	data
RT_ICON	0x133f50	0x5488	data
RT_ICON	0x1393d8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0x13d600	0x25a8	data
RT_ICON	0x13fba8	0x10a8	data
RT_ICON	0x140c50	0x988	data
RT_ICON	0x1415d8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x141a40	0x76	data
RT_VERSION	0x141ab8	0x3b0	data
RT_MANIFEST	0x141e68	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018 Pointers
Assembly Version	2.0.0.0
InternalName	SuppressMessageAttribute.exe
FileVersion	2.0.0.0
CompanyName	Pointers LTD
LegalTrademarks	Pointers
Comments
ProductName	KatmanliMimari
ProductVersion	2.0.0.0
FileDescription	KatmanliMimari
OriginalFilename	SuppressMessageAttribute.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-06:52:35.691617	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	1204	192.168.2.4	89.44.9.69
05/04/21-06:52:46.315666	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	1204	192.168.2.4	89.44.9.69
05/04/21-06:52:57.613869	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	1204	192.168.2.4	89.44.9.69
05/04/21-06:53:11.216231	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49749	1204	192.168.2.4	89.44.9.69
05/04/21-06:53:27.511572	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49755	1204	192.168.2.4	89.44.9.69
05/04/21-06:53:37.218154	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	1204	192.168.2.4	89.44.9.69
05/04/21-06:53:46.102076	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49763	1204	192.168.2.4	89.44.9.69
05/04/21-06:54:00.921342	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49765	1204	192.168.2.4	89.44.9.69
05/04/21-06:54:08.453123	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	1204	192.168.2.4	89.44.9.69
05/04/21-06:54:15.214826	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49771	1204	192.168.2.4	89.44.9.69
05/04/21-06:54:22.087740	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	8.8.8.8
05/04/21-06:54:22.252566	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49777	1204	192.168.2.4	89.44.9.69
05/04/21-06:54:28.311488	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49779	1204	192.168.2.4	89.44.9.69

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 06:52:35.491203070 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:35.560121059 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:35.561686039 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:35.691617012 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:35.769012928 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:35.809966087 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:36.396981955 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:36.465771914 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:36.606942892 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:36.781653881 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:36.892478943 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:36.892548084 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.001183987 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033832073 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033859968 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033875942 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033895016 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033914089 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033929110 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033946037 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033956051 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.033962965 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033979893 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.033982038 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.034025908 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.035512924 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.035581112 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.103682995 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103702068 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103722095 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103739977 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103756905 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103774071 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103790045 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103806019 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103809118 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.103823900 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.103852034 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.103884935 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.106355906 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106383085 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106399059 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106415987 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106416941 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.106431961 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106451035 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106467009 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106486082 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106503010 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.106504917 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.106638908 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.109445095 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.109472036 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.109544992 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.172991991 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173026085 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173042059 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173054934 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173182964 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.173284054 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173301935 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173378944 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.173876047 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173897982 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.173981905 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.174207926 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174228907 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174246073 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174263000 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174278975 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174292088 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.174299002 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174318075 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174334049 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174350977 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174355984 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.174369097 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.174396038 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.174431086 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.175620079 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175646067 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175676107 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175695896 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175714016 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175729990 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175772905 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.175812960 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.175851107 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175870895 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175889015 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175905943 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175921917 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175939083 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175941944 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.175956964 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175973892 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.175987005 CEST	49740	1204	192.168.2.4	89.44.9.69
May 4, 2021 06:52:37.175990105 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.176012039 CEST	1204	49740	89.44.9.69	192.168.2.4
May 4, 2021 06:52:37.176016092 CEST	49740	1204	192.168.2.4	89.44.9.69

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 06:52:14.400979996 CEST	54531	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:14.449677944 CEST	53	54531	8.8.8.8	192.168.2.4
May 4, 2021 06:52:15.109172106 CEST	49714	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:15.168134928 CEST	53	49714	8.8.8.8	192.168.2.4
May 4, 2021 06:52:15.378720999 CEST	58028	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:15.427373886 CEST	53	58028	8.8.8.8	192.168.2.4
May 4, 2021 06:52:16.750510931 CEST	53097	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:16.799173117 CEST	53	53097	8.8.8.8	192.168.2.4
May 4, 2021 06:52:18.013556957 CEST	49257	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:18.070765972 CEST	53	49257	8.8.8.8	192.168.2.4
May 4, 2021 06:52:19.156615019 CEST	62389	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:19.205136061 CEST	53	62389	8.8.8.8	192.168.2.4
May 4, 2021 06:52:20.582920074 CEST	49910	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:20.636848927 CEST	53	49910	8.8.8.8	192.168.2.4
May 4, 2021 06:52:21.561728954 CEST	55854	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:21.614970922 CEST	53	55854	8.8.8.8	192.168.2.4
May 4, 2021 06:52:22.900630951 CEST	64549	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:22.949564934 CEST	53	64549	8.8.8.8	192.168.2.4
May 4, 2021 06:52:23.937971115 CEST	63153	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:23.986418962 CEST	53	63153	8.8.8.8	192.168.2.4
May 4, 2021 06:52:25.497857094 CEST	52991	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:25.549484015 CEST	53	52991	8.8.8.8	192.168.2.4
May 4, 2021 06:52:26.880570889 CEST	53700	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:26.930425882 CEST	53	53700	8.8.8.8	192.168.2.4
May 4, 2021 06:52:28.479382992 CEST	51726	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:28.530997992 CEST	53	51726	8.8.8.8	192.168.2.4
May 4, 2021 06:52:29.842281103 CEST	56794	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:29.890939951 CEST	53	56794	8.8.8.8	192.168.2.4
May 4, 2021 06:52:30.807148933 CEST	56534	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:30.857218027 CEST	53	56534	8.8.8.8	192.168.2.4
May 4, 2021 06:52:32.316198111 CEST	56627	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:32.367845058 CEST	53	56627	8.8.8.8	192.168.2.4
May 4, 2021 06:52:33.552509069 CEST	56621	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:33.601248026 CEST	53	56621	8.8.8.8	192.168.2.4
May 4, 2021 06:52:34.760373116 CEST	63116	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:34.811897993 CEST	53	63116	8.8.8.8	192.168.2.4
May 4, 2021 06:52:35.404788017 CEST	64078	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:35.468126059 CEST	53	64078	8.8.8.8	192.168.2.4
May 4, 2021 06:52:36.360310078 CEST	64801	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:36.418663025 CEST	53	64801	8.8.8.8	192.168.2.4
May 4, 2021 06:52:38.334563971 CEST	61721	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:38.387707949 CEST	53	61721	8.8.8.8	192.168.2.4
May 4, 2021 06:52:45.283684015 CEST	51255	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:45.335408926 CEST	53	51255	8.8.8.8	192.168.2.4
May 4, 2021 06:52:46.168754101 CEST	61522	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:46.229815960 CEST	53	61522	8.8.8.8	192.168.2.4
May 4, 2021 06:52:57.483375072 CEST	52337	53	192.168.2.4	8.8.8.8
May 4, 2021 06:52:57.540606976 CEST	53	52337	8.8.8.8	192.168.2.4
May 4, 2021 06:53:02.054086924 CEST	55046	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:02.113373041 CEST	53	55046	8.8.8.8	192.168.2.4
May 4, 2021 06:53:09.059365034 CEST	49612	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:09.119601011 CEST	53	49612	8.8.8.8	192.168.2.4
May 4, 2021 06:53:10.240042925 CEST	49285	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:10.301357031 CEST	53	49285	8.8.8.8	192.168.2.4
May 4, 2021 06:53:20.489739895 CEST	50601	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:20.552572966 CEST	53	50601	8.8.8.8	192.168.2.4
May 4, 2021 06:53:21.600878000 CEST	60875	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:21.660672903 CEST	53	60875	8.8.8.8	192.168.2.4
May 4, 2021 06:53:22.130163908 CEST	56448	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:22.187254906 CEST	53	56448	8.8.8.8	192.168.2.4
May 4, 2021 06:53:24.781240940 CEST	59172	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:24.829933882 CEST	53	59172	8.8.8.8	192.168.2.4
May 4, 2021 06:53:26.124466896 CEST	62420	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:26.174361944 CEST	53	62420	8.8.8.8	192.168.2.4
May 4, 2021 06:53:26.579637051 CEST	60579	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:26.628335953 CEST	53	60579	8.8.8.8	192.168.2.4
May 4, 2021 06:53:27.820656061 CEST	50183	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:27.882646084 CEST	53	50183	8.8.8.8	192.168.2.4
May 4, 2021 06:53:29.356823921 CEST	61531	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:29.413820028 CEST	53	61531	8.8.8.8	192.168.2.4
May 4, 2021 06:53:30.166075945 CEST	49228	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:30.223148108 CEST	53	49228	8.8.8.8	192.168.2.4
May 4, 2021 06:53:33.601983070 CEST	59794	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:33.659370899 CEST	53	59794	8.8.8.8	192.168.2.4
May 4, 2021 06:53:35.273822069 CEST	55916	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:35.323287964 CEST	53	55916	8.8.8.8	192.168.2.4
May 4, 2021 06:53:36.299180031 CEST	52752	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:36.356385946 CEST	53	52752	8.8.8.8	192.168.2.4
May 4, 2021 06:53:36.466579914 CEST	60542	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:36.529876947 CEST	53	60542	8.8.8.8	192.168.2.4
May 4, 2021 06:53:45.569412947 CEST	60689	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:45.629180908 CEST	53	60689	8.8.8.8	192.168.2.4
May 4, 2021 06:53:55.506566048 CEST	64206	53	192.168.2.4	8.8.8.8
May 4, 2021 06:53:55.567790031 CEST	53	64206	8.8.8.8	192.168.2.4
May 4, 2021 06:54:00.605639935 CEST	50904	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:00.662633896 CEST	53	50904	8.8.8.8	192.168.2.4
May 4, 2021 06:54:08.090348005 CEST	57525	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:08.147878885 CEST	53	57525	8.8.8.8	192.168.2.4
May 4, 2021 06:54:11.248502016 CEST	53814	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:11.339107037 CEST	53	53814	8.8.8.8	192.168.2.4
May 4, 2021 06:54:12.005081892 CEST	53418	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:12.063267946 CEST	53	53418	8.8.8.8	192.168.2.4
May 4, 2021 06:54:15.088542938 CEST	62833	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:15.147207975 CEST	53	62833	8.8.8.8	192.168.2.4
May 4, 2021 06:54:16.576061010 CEST	59260	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:16.634821892 CEST	53	59260	8.8.8.8	192.168.2.4
May 4, 2021 06:54:20.248930931 CEST	49944	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:21.288027048 CEST	49944	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:22.086838961 CEST	53	49944	8.8.8.8	192.168.2.4
May 4, 2021 06:54:22.087651014 CEST	53	49944	8.8.8.8	192.168.2.4
May 4, 2021 06:54:28.185599089 CEST	63300	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:28.234452963 CEST	53	63300	8.8.8.8	192.168.2.4
May 4, 2021 06:54:49.843718052 CEST	61449	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:49.895464897 CEST	53	61449	8.8.8.8	192.168.2.4
May 4, 2021 06:54:52.928936005 CEST	51275	53	192.168.2.4	8.8.8.8
May 4, 2021 06:54:52.996159077 CEST	53	51275	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 4, 2021 06:54:22.087739944 CEST	192.168.2.4	8.8.8.8	d010	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 06:52:35.404788017 CEST	192.168.2.4	8.8.8.8	0x87ae	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:52:46.168754101 CEST	192.168.2.4	8.8.8.8	0xdf48	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:52:57.483375072 CEST	192.168.2.4	8.8.8.8	0x12fe	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:53:10.240042925 CEST	192.168.2.4	8.8.8.8	0xe000	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:53:26.579637051 CEST	192.168.2.4	8.8.8.8	0xa845	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:53:36.466579914 CEST	192.168.2.4	8.8.8.8	0x4313	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:53:45.569412947 CEST	192.168.2.4	8.8.8.8	0xa9ad	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:53:55.506566048 CEST	192.168.2.4	8.8.8.8	0xb816	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:54:00.605639935 CEST	192.168.2.4	8.8.8.8	0x933	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:54:08.090348005 CEST	192.168.2.4	8.8.8.8	0xb99f	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:54:15.088542938 CEST	192.168.2.4	8.8.8.8	0x89f	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:54:20.248930931 CEST	192.168.2.4	8.8.8.8	0x56fa	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:54:21.288027048 CEST	192.168.2.4	8.8.8.8	0x56fa	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)
May 4, 2021 06:54:28.185599089 CEST	192.168.2.4	8.8.8.8	0x1829	Standard query (0)	securityveriservers.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 06:52:35.468126059 CEST	8.8.8.8	192.168.2.4	0x87ae	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:52:46.229815960 CEST	8.8.8.8	192.168.2.4	0xdf48	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:52:57.540606976 CEST	8.8.8.8	192.168.2.4	0x12fe	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:53:10.301357031 CEST	8.8.8.8	192.168.2.4	0xe000	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:53:26.628335953 CEST	8.8.8.8	192.168.2.4	0xa845	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:53:36.529876947 CEST	8.8.8.8	192.168.2.4	0x4313	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:53:45.629180908 CEST	8.8.8.8	192.168.2.4	0xa9ad	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:53:55.567790031 CEST	8.8.8.8	192.168.2.4	0xb816	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:54:00.662633896 CEST	8.8.8.8	192.168.2.4	0x933	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:54:08.147878885 CEST	8.8.8.8	192.168.2.4	0xb99f	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:54:11.339107037 CEST	8.8.8.8	192.168.2.4	0xec56	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 06:54:15.147207975 CEST	8.8.8.8	192.168.2.4	0x89f	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:54:22.086838961 CEST	8.8.8.8	192.168.2.4	0x56fa	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:54:22.087651014 CEST	8.8.8.8	192.168.2.4	0x56fa	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)
May 4, 2021 06:54:28.234452963 CEST	8.8.8.8	192.168.2.4	0x1829	No error (0)	securityveriservers.ddns.net		89.44.9.69	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Thag3EQkV3.exe PID: 6416 Parent PID: 5816

General

Start time:	06:52:20
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\Thag3EQkV3.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Thag3EQkV3.exe'
Imagebase:	0x2b0000
File size:	1311744 bytes
MD5 hash:	46596598EE9FE7C1B4677CBBFE8A00BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.680421675.00000000036C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.678528417.00000000026C1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: powershell.exe PID: 6620 Parent PID: 6416

General

Start time:	06:52:22
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Thag3EQkV3.exe'
Imagebase:	0x1070000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6628 Parent PID: 6620

General

Start time:	06:52:23
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6740 Parent PID: 6416

General

Start time:	06:52:24
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Imagebase:	0x1070000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6764 Parent PID: 6740

General

Start time:	06:52:24
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 6772 Parent PID: 6416

General

Start time:	06:52:24
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dZmzbca' /XML 'C:\Users\user\AppData\Local\Temp\tmp8204.tmp'
Imagebase:	0xd10000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6804 Parent PID: 6772

General

Start time:	06:52:24
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6948 Parent PID: 6416

General

Start time:	06:52:25
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\dZmzbca.exe'
Imagebase:	0x1070000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6960 Parent PID: 6948

General

Start time:	06:52:26
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Thag3EQkV3.exe PID: 6968 Parent PID: 6416

General

Start time:	06:52:26
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\Thag3EQkV3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Thag3EQkV3.exe
Imagebase:	0xcf0000
File size:	1311744 bytes
MD5 hash:	46596598EE9FE7C1B4677CBBFE8A00BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Thag3EQkV3.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets