Windows Analysis Report
WarZOne.exe

Overview

General Information

Sample Name:	WarZOne.exe
Analysis ID:	593196
MD5:	bd217c997f860e6c95e4df1204e8b6f2
SHA1:	67d432c7611e1a657c39647b82afb9d7d93c7a71
SHA256:	cde7e237d3724ede32827c724793cd1e44f041b020a49a5188df9f0f0a92a722
Tags:	exe
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Writes to foreign memory regions

Encrypted powershell cmdline option found

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Potential dropper URLs found in powershell memory

PE file contains section with special chars

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Drops PE files

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Suspicious Execution of Powershell with Base64

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WarZOne.exe

Avira: detected

Machine Learning detection for sample

Source: WarZOne.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\6363.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\13.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Joe Sandbox ML: detected

Uses 32bit PE files

Source: WarZOne.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: WarZOne.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: 6363.exe, 00000003.00000003.270109273.00000000024F2000.00000040.00001000.00020000.00000000.sdmp, 6363.exe, 00000003.00000002.270713010.000000000010E000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.524692625.0000000000402000.00000020.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\WarZOne.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\WarZOne.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\WarZOne.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF

Networking

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

DNS query: name: ip-api.com

Potential dropper URLs found in powershell memory

Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: powershell.exe, 00000020.00000002.509103765.000002B38161F000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryamet

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: powershell.exe, 0000000D.00000002.386035272.00000165CE710000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.518332682.000002B3FF3B2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000020.00000003.506032441.000002B3FF3B2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.542391311.000002D9F0E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000020.00000002.517317731.000002B3FE845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 0000000D.00000002.386488332.00000165CE8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.osofts/Microt0
Source: powershell.exe, 0000000D.00000003.365257002.00000165CE7F1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.386352561.00000165CE7F1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.317254266.00000165CE7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.t.com/pki/crl/pr
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: AppLaunch.exe, 00000005.00000002.526943680.0000000006D24000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.527046168.0000000006D37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000005.00000002.526943680.0000000006D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000005.00000002.526943680.0000000006D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com4
Source: WarZOne.exe, WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp, WarZOne.exe, 00000000.00000000.256647876.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp, WarZOne.exe, 00000000.00000000.256647876.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000D.00000002.383650086.00000165C6666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.509103765.000002B38161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.528168479.000002D980210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 13.exe, 00000001.00000002.431572403.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.526943680.0000000006D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.368707604.00000165B6601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.508573813.000002B381411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.526641130.000002D980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.509103765.000002B38161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.528168479.000002D980210000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000003.365257002.00000165CE7F1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.386352561.00000165CE7F1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.317254266.00000165CE7F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wsoft.com/pki/ceroCerAut_2010-06-
Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AppLaunch.exe, 00000005.00000002.524692625.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.entrust.net/rpa0
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.entrust.net/rpa03
Source: powershell.exe, 0000000D.00000002.383650086.00000165C6666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.383650086.00000165C6666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.383650086.00000165C6666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.370820750.00000165B6810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.383401009.00000165B7C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.383050435.00000165B7A7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.382371268.00000165B77E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.383650086.00000165C6666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: WarZOne.exe, 00000000.00000002.265126284.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Creates a DirectInput object (often for capturing keystrokes)

Source: 6363.exe, 00000003.00000002.272837545.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\WarZOne.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

System Summary

PE file contains section with special chars

Source: 6363.exe.0.dr

Static PE information: section name: ."@>]7

Uses 32bit PE files

Source: WarZOne.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\WarZOne.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403348

Detected potential crypto function

Source: C:\Users\user\Desktop\WarZOne.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\WarZOne.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00007FFC04FFD9F6	1_2_00007FFC04FFD9F6
Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00007FFC04FF096E	1_2_00007FFC04FF096E
Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00007FFC04FFE7A2	1_2_00007FFC04FFE7A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C7145E	5_2_06C7145E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C7DEE0	5_2_06C7DEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C7BF80	5_2_06C7BF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C71D90	5_2_06C71D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C77D70	5_2_06C77D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C70B38	5_2_06C70B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C7C850	5_2_06C7C850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C70860	5_2_06C70860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C71555	5_2_06C71555
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C720C8	5_2_06C720C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C71E41	5_2_06C71E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C7BC38	5_2_06C7BC38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C77D60	5_2_06C77D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C70B72	5_2_06C70B72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_06C70B28	5_2_06C70B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_09A26E50	5_2_09A26E50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFC04FC40A8	13_2_00007FFC04FC40A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFC04FC40C8	13_2_00007FFC04FC40C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFC04FC3345	13_2_00007FFC04FC3345
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFC050939E1	13_2_00007FFC050939E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFC05093285	13_2_00007FFC05093285

PE file does not import any functions

Source: 13.exe.0.dr	Static PE information: No import functions for PE file found
Source: System.exe.1.dr	Static PE information: No import functions for PE file found

PE / OLE file has an invalid certificate

Source: WarZOne.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\WarZOne.exe

File read: C:\Users\user\Desktop\WarZOne.exe

Source: unknown	Process created: C:\Users\user\Desktop\WarZOne.exe "C:\Users\user\Desktop\WarZOne.exe"
Source: C:\Users\user\Desktop\WarZOne.exe	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
Source: C:\Users\user\Desktop\WarZOne.exe	Process created: C:\Users\user\AppData\Roaming\6363.exe C:\Users\user\AppData\Roaming\6363.exe
Source: C:\Users\user\AppData\Roaming\6363.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\6363.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\Desktop\WarZOne.exe	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe	Jump to behavior
Source: C:\Users\user\Desktop\WarZOne.exe	Process created: C:\Users\user\AppData\Roaming\6363.exe C:\Users\user\AppData\Roaming\6363.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\6363.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

Source: C:\Users\user\AppData\Roaming\13.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\13.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:996:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3056:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_01

Source: 3.3.6363.exe.24f0000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.AppLaunch.exe.400000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 3.3.6363.exe.24f0000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00AD12E3 push rcx; iretd	1_2_00AD12E4
Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00AD130D push rcx; retf	1_2_00AD1316
Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00007FFC04FF6A42 push 695F6AB3h; retf	1_2_00007FFC04FF6A49
Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00007FFC04FF2E69 pushad ; ret	1_2_00007FFC04FF2E6A
Source: C:\Users\user\AppData\Roaming\13.exe	Code function: 1_2_00007FFC04FF132C push dword ptr [ebp-49h]; retf	1_2_00007FFC04FF1335
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFC04FC3DA3 push eax; iretd	13_2_00007FFC04FC3E41
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFC04FC4C0C push cs; iretd	13_2_00007FFC04FC4C0F
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 23_2_0041130D push rcx; retf	23_2_00411316
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 23_2_004112E3 push rcx; iretd	23_2_004112E4
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 23_2_00007FFC04FD6A42 push 695F6CB3h; retf	23_2_00007FFC04FD6A49
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 23_2_00007FFC04FD2E69 pushad ; ret	23_2_00007FFC04FD2E6A
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 23_2_00007FFC04FD132C push dword ptr [ebp-49h]; retf	23_2_00007FFC04FD1335

Source: 6363.exe.0.dr	Static PE information: section name: .vZtfdr
Source: 6363.exe.0.dr	Static PE information: section name: ."@>]7

Source: C:\Users\user\Desktop\WarZOne.exe	File created: C:\Users\user\AppData\Roaming\13.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WarZOne.exe	File created: C:\Users\user\AppData\Roaming\6363.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\13.exe	File created: C:\Users\user\AppData\Roaming\Windows\System.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\13.exe TID: 6308	Thread sleep count: 89 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe TID: 6308	Thread sleep time: -89000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe TID: 6328	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6148	Thread sleep count: 6856 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep count: 1735 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6968	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572	Thread sleep count: 6630 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796	Thread sleep count: 1897 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1320	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 5292	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 5292	Thread sleep time: -38000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 3544	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 3544	Thread sleep time: -55000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212	Thread sleep count: 7501 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1740	Thread sleep count: 501 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5504	Thread sleep count: 4765 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5504	Thread sleep count: 1038 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 980	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 980	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\13.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6856	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1735	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6630	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1897	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7501
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 501
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4765
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1038

Source: AppLaunch.exe, 00000005.00000002.526364649.0000000005302000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: AppLaunch.exe, 00000005.00000002.526458977.0000000005340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLH2G8E95Win32_VideoController3VDSLKXHVideoController120060621000000.000000-000.9045..8display.infMSBDA86Z411FFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsXCEOCZ9P<a
Source: AppLaunch.exe, 00000005.00000002.526364649.0000000005302000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLH2G8E95Win32_VideoController3VDSLKXHVideoController120060621000000.000000-000.9045..8display.infMSBDA86Z411FFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsXCEOCZ9P
Source: AppLaunch.exe, 00000005.00000002.526458977.0000000005340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\13.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\6363.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\6363.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: B38008			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force

Source: C:\Users\user\AppData\Roaming\13.exe	Queries volume information: C:\Users\user\AppData\Roaming\13.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows\System.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows\System.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

ID:	593196
Product:	CloudBasic
Start time:	13:14:44
Start date:	21.03.2022
Sample:	WarZOne.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	bd217c997f860e6c95e4df1204e8b6f2
SHA1:	67d432c7611e1a657c39647b82afb9d7d93c7a71
SHA256:	cde7e237d3724ede32827c724793cd1e44f041b020a49a5188df9f0f0a92a722
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report WarZOne.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
WarZOne.exe

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\13.exe.log	ASCII text, with CRLF line terminators	55B1C358C76C36555547AB8BA39CB42E	63BD54BA7CB70FB481C8D625EBA24A5E2D6564F2	33367C74DE2EC5A5DE6FDAD331DCBF09EB0C8EA333708F7CD3C0228D8A466240
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	A30A545B73C738B58F7D7089B1C9FF63	2F4784CFB523E34E6492F67EF7A04C7A20F16872	2F1991061F8982C2AAB4D49CAF78BE84E1282EFED26BE6775989B0EC4C9464BC
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1nkf0ynl.1ys.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fszllca.cnq.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ax1m5cxw.dic.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdqh0fyf.oux.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kza20jcr.aj3.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ntbonqkd.4oe.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onkmbs4h.1fs.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmrv50ev.vgm.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\13.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	BC498D99D29CEC9B97EFEB530D745D5F	38F16B9D7D22600888883CA4D9329D3299448825	99B25606BF4D6954750E0E0C09B5850556450A1FD6630554287C93B0CAA25437
C:\Users\user\AppData\Roaming\6363.exe	PE32 executable (console) Intel 80386, for MS Windows	6E2E572F9C95A2F41B4DA6685F152C6B	7AA2D1038B5A3909268C068424AAA0354A6A8819	F750675396D45B9CD915379FBD703558FCA2CDDC3456B1D345B70DA4D8AFD334
C:\Users\user\AppData\Roaming\Windows\System.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	BC498D99D29CEC9B97EFEB530D745D5F	38F16B9D7D22600888883CA4D9329D3299448825	99B25606BF4D6954750E0E0C09B5850556450A1FD6630554287C93B0CAA25437
C:\Users\user\Documents\20220321\PowerShell_transcript.124406.H_CZkqq5.20220321131727.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	10D6A2D891D22024E5BEC2F349D63D22	C8D76B4140F467430BB63CA170689DDF01DA9227	B680B56A63344F149FFD41A097EF410B886AD7C8C3AC05CBD3DA153EDEEBC02B
C:\Users\user\Documents\20220321\PowerShell_transcript.124406.hEIboB2j.20220321131654.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	EEC532DA617893FB2A612D80135907E3	C0A2E53D6E9B51EBFD3A9CA79331E168A9DB5CC2	E70B5155E85A24D9118CE7BCF967355BB16D417F93C33BB8FF1180239F689786
C:\Users\user\Documents\20220321\PowerShell_transcript.124406.nPMpTzNg.20220321131615.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	62E57477E6737ECC2FAD97448BD6E83B	BF045C00E027326AFAD1E3ADA3037F96B2EDC908	41DF231EA1CFF3126570E3C5430613383612DC43E8B199F85C790C5772F3571D