Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_004062D5 FindFirstFileW,FindClose, |
0_2_004062D5 |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_00402E18 FindFirstFileW, |
0_2_00402E18 |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, |
0_2_00406C9B |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
10_2_00E64005 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6494A GetFileAttributesW,FindFirstFileW,FindClose, |
10_2_00E6494A |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
10_2_00E63CE2 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
10_2_00E6C2FF |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
10_2_00E6CD9F |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6CD14 FindFirstFileW,FindClose, |
10_2_00E6CD14 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00E6F5D8 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00E6F735 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
10_2_00E6FA36 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
16_2_00944005 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose, |
16_2_0094494A |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
16_2_0094C2FF |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
16_2_0094CD9F |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094CD14 FindFirstFileW,FindClose, |
16_2_0094CD14 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
16_2_0094F5D8 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
16_2_0094F735 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
16_2_0094FA36 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
16_2_00943CE2 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0 |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0 |
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719104537.000000000041F000.00000004.00000001.01000000.00000003.sdmp, cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://crl.globalsign.net/root-r3.crl0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20 |
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719104537.000000000041F000.00000004.00000001.01000000.00000003.sdmp, cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08 |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0 |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3570573452.0000000000EC9000.00000002.00000001.01000000.00000006.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3570670968.00000000009A9000.00000002.00000001.01000000.0000000A.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: cW5i0RdQ4L.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: Powder.pif, 0000000A.00000002.3571443767.00000000019C9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://iplogger.com/ |
Source: Powder.pif, 0000000A.00000002.3571321856.0000000001959000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3572166645.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3571781276.000000000171A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://iplogger.com/15RZZ4 |
Source: Powder.pif, 0000000A.00000002.3571443767.0000000001B30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://iplogger.com/15RZZ40 |
Source: Powder.pif, 0000000A.00000002.3572166645.00000000043D6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://iplogger.com/15RZZ4O |
Source: GuardianCryptoElite.scr, 00000010.00000002.3571413798.000000000153A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://iplogger.com/15RZZ4eListcessId; |
Source: GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://iplogger.com/R |
Source: GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://iplogger.com/m |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: https://www.autoitscript.com/autoit3/ |
Source: Serious.0.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr |
String found in binary or memory: https://www.globalsign.com/repository/06 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E8D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
10_2_00E8D164 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0096D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
16_2_0096D164 |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_0040497C |
0_2_0040497C |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_00406ED2 |
0_2_00406ED2 |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_004074BB |
0_2_004074BB |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E0B020 |
10_2_00E0B020 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E094E0 |
10_2_00E094E0 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E09C80 |
10_2_00E09C80 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E223F5 |
10_2_00E223F5 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E88400 |
10_2_00E88400 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E36502 |
10_2_00E36502 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E0E6F0 |
10_2_00E0E6F0 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E3265E |
10_2_00E3265E |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E2282A |
10_2_00E2282A |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E389BF |
10_2_00E389BF |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E36A74 |
10_2_00E36A74 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E80A3A |
10_2_00E80A3A |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E10BE0 |
10_2_00E10BE0 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E5EDB2 |
10_2_00E5EDB2 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E2CD51 |
10_2_00E2CD51 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E80EB7 |
10_2_00E80EB7 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E68E44 |
10_2_00E68E44 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E36FE6 |
10_2_00E36FE6 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E233B7 |
10_2_00E233B7 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E1D45D |
10_2_00E1D45D |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E2F409 |
10_2_00E2F409 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E0F6A0 |
10_2_00E0F6A0 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E216B4 |
10_2_00E216B4 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E01663 |
10_2_00E01663 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E1F628 |
10_2_00E1F628 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E278C3 |
10_2_00E278C3 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E2DBA5 |
10_2_00E2DBA5 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E21BA8 |
10_2_00E21BA8 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E39CE5 |
10_2_00E39CE5 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E1DD28 |
10_2_00E1DD28 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E21FC0 |
10_2_00E21FC0 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E2BFD6 |
10_2_00E2BFD6 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008EB020 |
16_2_008EB020 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008E94E0 |
16_2_008E94E0 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008E9C80 |
16_2_008E9C80 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_009023F5 |
16_2_009023F5 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00968400 |
16_2_00968400 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00916502 |
16_2_00916502 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008EE6F0 |
16_2_008EE6F0 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0091265E |
16_2_0091265E |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0090282A |
16_2_0090282A |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_009189BF |
16_2_009189BF |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00960A3A |
16_2_00960A3A |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00916A74 |
16_2_00916A74 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008F0BE0 |
16_2_008F0BE0 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0093EDB2 |
16_2_0093EDB2 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0090CD51 |
16_2_0090CD51 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00960EB7 |
16_2_00960EB7 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00948E44 |
16_2_00948E44 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00916FE6 |
16_2_00916FE6 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_009033B7 |
16_2_009033B7 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0090F409 |
16_2_0090F409 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008FD45D |
16_2_008FD45D |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_009016B4 |
16_2_009016B4 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008EF6A0 |
16_2_008EF6A0 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008FF628 |
16_2_008FF628 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008E1663 |
16_2_008E1663 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_009078C3 |
16_2_009078C3 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0090DBA5 |
16_2_0090DBA5 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00901BA8 |
16_2_00901BA8 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00919CE5 |
16_2_00919CE5 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008FDD28 |
16_2_008FDD28 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0090BFD6 |
16_2_0090BFD6 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00901FC0 |
16_2_00901FC0 |
Source: unknown |
Process created: C:\Users\user\Desktop\cW5i0RdQ4L.exe "C:\Users\user\Desktop\cW5i0RdQ4L.exe" |
|
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 |
|
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & echo URL="C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & exit |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" |
|
Source: C:\Windows\SysWOW64\findstr.exe |
Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O" |
|
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & echo URL="C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & exit |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O" |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: cmdext.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\choice.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: jscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
10_2_00E859B3 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E15EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
10_2_00E15EDA |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_009659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
16_2_009659B3 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_008F5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
16_2_008F5EDA |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_004062D5 FindFirstFileW,FindClose, |
0_2_004062D5 |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_00402E18 FindFirstFileW, |
0_2_00402E18 |
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe |
Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, |
0_2_00406C9B |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
10_2_00E64005 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6494A GetFileAttributesW,FindFirstFileW,FindClose, |
10_2_00E6494A |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
10_2_00E63CE2 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
10_2_00E6C2FF |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
10_2_00E6CD9F |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6CD14 FindFirstFileW,FindClose, |
10_2_00E6CD14 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00E6F5D8 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00E6F735 |
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif |
Code function: 10_2_00E6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
10_2_00E6FA36 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
16_2_00944005 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose, |
16_2_0094494A |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
16_2_0094C2FF |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
16_2_0094CD9F |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094CD14 FindFirstFileW,FindClose, |
16_2_0094CD14 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
16_2_0094F5D8 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
16_2_0094F735 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
16_2_0094FA36 |
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr |
Code function: 16_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
16_2_00943CE2 |