Windows Analysis Report
ij4YvAl59D.exe

Overview

General Information

Sample name:	ij4YvAl59D.exe renamed because original name is a hash value
Original sample name:	63348a3de870f9d1a0e8dc66584529b7.exe
Analysis ID:	1576616
MD5:	63348a3de870f9d1a0e8dc66584529b7
SHA1:	1610b479e8415bec8a184cc00cecdef2865354f2
SHA256:	81200273f9dd78935d8bc3b61ab7bd15c4e24be31c4a10fb55504595370e977b
Tags:	exeuser-abuse_ch
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Adds extensions / path to Windows Defender exclusion list (Registry)

Contains functionality to inject threads in other processes

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files with a suspicious file extension

Exclude list of file types from scheduled, custom, and real-time scanning

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Modifies Group Policy settings

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Wscript called in batch mode (surpress errors)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Windows Defender Exclusions Added - Registry

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: ij4YvAl59D.exe	Virustotal: Detection: 59%			Perma Link
Source: ij4YvAl59D.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Uses 32bit PE files

Source: ij4YvAl59D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ij4YvAl59D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe			Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006847B7 GetFileAttributesW,FindFirstFileW,FindClose,	16_2_006847B7
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683E72
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068C16C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CB81 FindFirstFileW,FindClose,	16_2_0068CB81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0068CC0C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F445
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F5A2
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068F8A3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FC16C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F47B7 GetFileAttributesW,FindFirstFileW,FindClose,	37_2_008F47B7
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCB81 FindFirstFileW,FindClose,	37_2_008FCB81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	37_2_008FCC0C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF445
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF5A2
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FF8A3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3E72
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	37_2_01432022
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01431F9C FindClose,FindFirstFileExW,GetLastError,	37_2_01431F9C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.4:50027 -> 3.36.173.8:50500
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:50027 -> 3.36.173.8:50500

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:50027 -> 3.36.173.8:50500

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0069279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

16_2_0069279E

Source: global traffic

DNS traffic detected: DNS query: jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD

Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: ij4YvAl59D.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04r
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: ij4YvAl59D.exe, 00000000.00000003.1783937876.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 0000000A.00000000.1817611127.0000000000958000.00000002.00000001.01000000.00000005.sdmp, SecureHawk.pif, 00000010.00000000.1850685413.00000000006E8000.00000002.00000001.01000000.00000008.sdmp, Origin.pif, 00000025.00000002.4202785920.0000000000958000.00000002.00000001.01000000.00000005.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, Studios.0.dr, SecureHawk.pif.10.dr, Origin.pif.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Origin.pif, Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Origin.pif	String found in binary or memory: https://ipinfo.io/
Source: Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Origin.pif, 00000025.00000002.4203516927.00000000017C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: Origin.pif	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00694614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		16_2_00694614
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00904614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		37_2_00904614

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00694416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

16_2_00694416

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006ACEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		16_2_006ACEDF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0091CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		37_2_0091CEDF

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Massachusetts entropy: 7.99846554018	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Radius entropy: 7.99902505433	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Stockings entropy: 7.99820786051	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Bdsm entropy: 7.99861815368	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Vendor entropy: 7.99556101212	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Convenience entropy: 7.99573659303	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Joke entropy: 7.99883402213	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Severe entropy: 7.99824795157	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Falls entropy: 7.99917331785	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Sig entropy: 7.9984885368	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Outreach entropy: 7.99921983985	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Dental entropy: 7.99901607447	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Mask entropy: 7.99382891469	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Fighting entropy: 7.99892313786	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\June entropy: 7.99829631291	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Z entropy: 7.99991695551	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\r entropy: 7.99991695551	Jump to dropped file

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js"

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006840C1: CreateFileW,DeviceIoControl,CloseHandle,

16_2_006840C1

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00678D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

16_2_00678D11

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_00403883
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006855E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	16_2_006855E5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	37_2_008F55E5

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\GPT.INI	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0062B020	16_2_0062B020
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006294E0	16_2_006294E0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00629C80	16_2_00629C80
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A81C8	16_2_006A81C8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00642325	16_2_00642325
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00656432	16_2_00656432
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0065258E	16_2_0065258E
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0062E6F0	16_2_0062E6F0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064275A	16_2_0064275A
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A0802	16_2_006A0802
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006588EF	16_2_006588EF
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006569A4	16_2_006569A4
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00630BE0	16_2_00630BE0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0067EB95	16_2_0067EB95
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A0C7F	16_2_006A0C7F
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00688CB1	16_2_00688CB1
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064CC81	16_2_0064CC81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00656F16	16_2_00656F16
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006432E9	16_2_006432E9
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064F339	16_2_0064F339
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0063D457	16_2_0063D457
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0063F57E	16_2_0063F57E
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006415E4	16_2_006415E4
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00621663	16_2_00621663
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0062F6A0	16_2_0062F6A0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006477F3	16_2_006477F3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064DAD5	16_2_0064DAD5
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00641AD8	16_2_00641AD8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00659C15	16_2_00659C15
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0063DD14	16_2_0063DD14
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00641EF0	16_2_00641EF0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064BF06	16_2_0064BF06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_009181C8	37_2_009181C8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B2325	37_2_008B2325
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C6432	37_2_008C6432
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C258E	37_2_008C258E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0089E6F0	37_2_0089E6F0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B275A	37_2_008B275A
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C88EF	37_2_008C88EF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00910802	37_2_00910802
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C69A4	37_2_008C69A4
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008EEB95	37_2_008EEB95
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008A0BE0	37_2_008A0BE0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BCC81	37_2_008BCC81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F8CB1	37_2_008F8CB1
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00910C7F	37_2_00910C7F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C6F16	37_2_008C6F16
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0089B020	37_2_0089B020
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B32E9	37_2_008B32E9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BF339	37_2_008BF339
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008994E0	37_2_008994E0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008AD457	37_2_008AD457
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B15E4	37_2_008B15E4
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008AF57E	37_2_008AF57E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0089F6A0	37_2_0089F6A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00891663	37_2_00891663
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B77F3	37_2_008B77F3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B1AD8	37_2_008B1AD8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BDAD5	37_2_008BDAD5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00899C80	37_2_00899C80
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C9C15	37_2_008C9C15
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008ADD14	37_2_008ADD14
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B1EF0	37_2_008B1EF0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BBF06	37_2_008BBF06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0144002D	37_2_0144002D
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0144036F	37_2_0144036F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014547BF	37_2_014547BF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0143C960	37_2_0143C960
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0143A928	37_2_0143A928
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01422870	37_2_01422870
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01458BB0	37_2_01458BB0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014F2FD0	37_2_014F2FD0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014371A0	37_2_014371A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0142F580	37_2_0142F580
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0144DA86	37_2_0144DA86
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014EFC40	37_2_014EFC40

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 01434380 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 008B8A60 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 008B0C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 008A1A36 appears 33 times
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00631A36 appears 34 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00648A60 appears 42 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00640C42 appears 70 times

Sample file is different than original file name gathered from version info

Source: ij4YvAl59D.exe, 00000000.00000003.1783937876.00000000027C2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs ij4YvAl59D.exe

Uses 32bit PE files

Source: ij4YvAl59D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ij4YvAl59D.exe

Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@30/56@2/1

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0068A51A GetLastError,FormatMessageW,

16_2_0068A51A

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00678BCC AdjustTokenPrivileges,CloseHandle,	16_2_00678BCC
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0067917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	16_2_0067917C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008E8BCC AdjustTokenPrivileges,CloseHandle,	37_2_008E8BCC
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008E917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	37_2_008E917C

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00683FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

16_2_00683FB5

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006842AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

16_2_006842AA

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

File created: C:\Users\user\AppData\Local\LinkGuard Dynamics

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

File created: C:\Users\user\AppData\Local\Temp\nsu4B6A.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Command line argument: @]

16_2_00635F8B

Source: ij4YvAl59D.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Origin.pif, Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: ij4YvAl59D.exe	Virustotal: Detection: 59%
Source: ij4YvAl59D.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

File read: C:\Users\user\Desktop\ij4YvAl59D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ij4YvAl59D.exe "C:\Users\user\Desktop\ij4YvAl59D.exe"
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"	Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: devobj.dll	Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: ij4YvAl59D.exe

Static file information: File size 17135424 > 1048576

Source: ij4YvAl59D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00648AA5 push ecx; ret	16_2_00648AB8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F88B7 push FFFFFF8Bh; iretd	37_2_008F88B9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BE86F push edi; ret	37_2_008BE871
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BE988 push esi; ret	37_2_008BE98A
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B8AA5 push ecx; ret	37_2_008B8AB8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008ACBF1 push eax; retf	37_2_008ACBF8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BEB63 push esi; ret	37_2_008BEB65
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BEC4C push edi; ret	37_2_008BEC4E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_009072DC push eax; iretd	37_2_009072DD
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01433F59 push ecx; ret	37_2_01433F6C

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif			Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	16_2_006A577B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00635EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	16_2_00635EDA
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0091577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	37_2_0091577B
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	37_2_008A5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006432E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

16_2_006432E9

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Stalling execution: Execution stalls by calling Sleep

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	API coverage: 1.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 4592	Thread sleep count: 120 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif TID: 1700	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif TID: 1356	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif TID: 1356	Thread sleep count: 198 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif TID: 5212	Thread sleep count: 91 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006847B7 GetFileAttributesW,FindFirstFileW,FindClose,	16_2_006847B7
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683E72
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068C16C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CB81 FindFirstFileW,FindClose,	16_2_0068CB81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0068CC0C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F445
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F5A2
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068F8A3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FC16C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F47B7 GetFileAttributesW,FindFirstFileW,FindClose,	37_2_008F47B7
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCB81 FindFirstFileW,FindClose,	37_2_008FCB81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	37_2_008FCC0C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF445
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF5A2
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FF8A3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3E72
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	37_2_01432022
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01431F9C FindClose,FindFirstFileExW,GetLastError,	37_2_01431F9C

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00635D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

16_2_00635D13

Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000S
Source: Origin.pif, 00000025.00000002.4203516927.000000000181E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91e
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000M
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: SecureHawk.pif, 00000010.00000002.4205566786.0000000003C7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxE=
Source: Origin.pif, 00000025.00000002.4202967200.00000000013FB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Origin.pif, 00000025.00000002.4203516927.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-9
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006943B9 BlockInput,

16_2_006943B9

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00635240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

16_2_00635240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00655BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

16_2_00655BDC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006786B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

16_2_006786B0

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0064A2B5
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064A284 SetUnhandledExceptionFilter,	16_2_0064A284
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BA284 SetUnhandledExceptionFilter,	37_2_008BA284
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_008BA2B5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01434184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_01434184
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0143451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_0143451D
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_01438A64

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Code function: 37_2_014CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

37_2_014CF280

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Memory written: C:\Users\user\AppData\Local\Temp\369580\Origin.pif base: 1400000 value starts with: 4D5A

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0067914C LogonUserW,

16_2_0067914C

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00635240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

16_2_00635240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00681932 SendInput,keybd_event,

16_2_00681932

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0068507B mouse_event,

16_2_0068507B

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"	Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_006786B0

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00684D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

16_2_00684D89

Source: Origin.pif, 0000000A.00000003.1828150960.0000000004A6E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 0000000A.00000000.1817508928.0000000000945000.00000002.00000001.01000000.00000005.sdmp, SecureHawk.pif, 00000010.00000002.4202781597.00000000006D5000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecureHawk.pif, Origin.pif	Binary or memory string: Shell_TrayWnd
Source: ij4YvAl59D.exe, 00000000.00000003.1783937876.00000000027B9000.00000004.00000020.00020000.00000000.sdmp, Studios.0.dr	Binary or memory string: u3;.a3xAll files (.).*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0064878B cpuid

16_2_0064878B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	37_2_01452B5A
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_01452D5F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	37_2_01452F77
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_01452E51
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_01452E06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_01452EEC
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_014531CA
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_0144B1B1
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_014533F9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	37_2_014532F3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	37_2_014534CF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_0144B734
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoEx,FormatMessageA,	37_2_01431D94

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0068E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

16_2_0068E0CA

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00660652 GetUserNameW,

16_2_00660652

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0065409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

16_2_0065409A

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Registry value created: Exclusions_Extensions 1

Jump to behavior

Modifies Group Policy settings

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

File written: C:\Windows\System32\GroupPolicy\GPT.INI

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: Origin.pif PID: 1592, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Origin.pif	Binary or memory string: WIN_81
Source: Origin.pif	Binary or memory string: WIN_XP
Source: Origin.pif	Binary or memory string: WIN_XPe
Source: Origin.pif.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: Origin.pif	Binary or memory string: WIN_VISTA
Source: Origin.pif	Binary or memory string: WIN_7
Source: Origin.pif	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: Origin.pif PID: 1592, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00696733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		16_2_00696733
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00696BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		16_2_00696BF7

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.36.173.8	unknown	United States		8987	AMAZONEXPANSIONGB	true

Contacted Domains

Name	IP	Active
jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: ij4YvAl59D.exe	Virustotal: Detection: 59%			Perma Link
Source: ij4YvAl59D.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Uses 32bit PE files

Source: ij4YvAl59D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ij4YvAl59D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe			Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006847B7 GetFileAttributesW,FindFirstFileW,FindClose,	16_2_006847B7
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683E72
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068C16C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CB81 FindFirstFileW,FindClose,	16_2_0068CB81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0068CC0C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F445
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F5A2
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068F8A3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FC16C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F47B7 GetFileAttributesW,FindFirstFileW,FindClose,	37_2_008F47B7
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCB81 FindFirstFileW,FindClose,	37_2_008FCB81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	37_2_008FCC0C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF445
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF5A2
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FF8A3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3E72
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	37_2_01432022
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01431F9C FindClose,FindFirstFileExW,GetLastError,	37_2_01431F9C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.4:50027 -> 3.36.173.8:50500
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:50027 -> 3.36.173.8:50500

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:50027 -> 3.36.173.8:50500

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.173.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0069279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

16_2_0069279E

Source: global traffic

DNS traffic detected: DNS query: jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD

Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: ij4YvAl59D.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04r
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: ij4YvAl59D.exe, 00000000.00000003.1783937876.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 0000000A.00000000.1817611127.0000000000958000.00000002.00000001.01000000.00000005.sdmp, SecureHawk.pif, 00000010.00000000.1850685413.00000000006E8000.00000002.00000001.01000000.00000008.sdmp, Origin.pif, 00000025.00000002.4202785920.0000000000958000.00000002.00000001.01000000.00000005.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, Studios.0.dr, SecureHawk.pif.10.dr, Origin.pif.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Origin.pif, Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Origin.pif	String found in binary or memory: https://ipinfo.io/
Source: Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Origin.pif, 00000025.00000002.4203516927.00000000017C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ij4YvAl59D.exe, 00000000.00000003.1754054360.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000A.00000003.1827991644.000000000497E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000025.00000002.4204020665.0000000003326000.00000004.00000020.00020000.00000000.sdmp, SecureHawk.pif.10.dr, Origin.pif.1.dr, Beginning.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: Origin.pif	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

0_2_004050CD

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00694614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		16_2_00694614
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00904614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		37_2_00904614

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_00694416

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

0_2_004044A5

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006ACEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		16_2_006ACEDF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0091CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		37_2_0091CEDF

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Massachusetts entropy: 7.99846554018	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Radius entropy: 7.99902505433	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Stockings entropy: 7.99820786051	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Bdsm entropy: 7.99861815368	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Vendor entropy: 7.99556101212	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Convenience entropy: 7.99573659303	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Joke entropy: 7.99883402213	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Severe entropy: 7.99824795157	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Falls entropy: 7.99917331785	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Sig entropy: 7.9984885368	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Outreach entropy: 7.99921983985	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Dental entropy: 7.99901607447	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Mask entropy: 7.99382891469	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\Fighting entropy: 7.99892313786	Jump to dropped file
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	File created: C:\Users\user\AppData\Local\Temp\June entropy: 7.99829631291	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Z entropy: 7.99991695551	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\r entropy: 7.99991695551	Jump to dropped file

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js"

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006840C1: CreateFileW,DeviceIoControl,CloseHandle,

16_2_006840C1

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_00678D11

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_00403883
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006855E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	16_2_006855E5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	37_2_008F55E5

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Windows\System32\GroupPolicy\GPT.INI	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0062B020	16_2_0062B020
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006294E0	16_2_006294E0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00629C80	16_2_00629C80
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A81C8	16_2_006A81C8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00642325	16_2_00642325
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00656432	16_2_00656432
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0065258E	16_2_0065258E
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0062E6F0	16_2_0062E6F0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064275A	16_2_0064275A
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A0802	16_2_006A0802
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006588EF	16_2_006588EF
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006569A4	16_2_006569A4
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00630BE0	16_2_00630BE0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0067EB95	16_2_0067EB95
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A0C7F	16_2_006A0C7F
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00688CB1	16_2_00688CB1
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064CC81	16_2_0064CC81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00656F16	16_2_00656F16
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006432E9	16_2_006432E9
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064F339	16_2_0064F339
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0063D457	16_2_0063D457
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0063F57E	16_2_0063F57E
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006415E4	16_2_006415E4
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00621663	16_2_00621663
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0062F6A0	16_2_0062F6A0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006477F3	16_2_006477F3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064DAD5	16_2_0064DAD5
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00641AD8	16_2_00641AD8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00659C15	16_2_00659C15
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0063DD14	16_2_0063DD14
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00641EF0	16_2_00641EF0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064BF06	16_2_0064BF06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_009181C8	37_2_009181C8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B2325	37_2_008B2325
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C6432	37_2_008C6432
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C258E	37_2_008C258E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0089E6F0	37_2_0089E6F0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B275A	37_2_008B275A
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C88EF	37_2_008C88EF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00910802	37_2_00910802
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C69A4	37_2_008C69A4
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008EEB95	37_2_008EEB95
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008A0BE0	37_2_008A0BE0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BCC81	37_2_008BCC81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F8CB1	37_2_008F8CB1
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00910C7F	37_2_00910C7F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C6F16	37_2_008C6F16
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0089B020	37_2_0089B020
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B32E9	37_2_008B32E9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BF339	37_2_008BF339
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008994E0	37_2_008994E0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008AD457	37_2_008AD457
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B15E4	37_2_008B15E4
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008AF57E	37_2_008AF57E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0089F6A0	37_2_0089F6A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00891663	37_2_00891663
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B77F3	37_2_008B77F3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B1AD8	37_2_008B1AD8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BDAD5	37_2_008BDAD5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_00899C80	37_2_00899C80
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008C9C15	37_2_008C9C15
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008ADD14	37_2_008ADD14
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B1EF0	37_2_008B1EF0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BBF06	37_2_008BBF06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0144002D	37_2_0144002D
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0144036F	37_2_0144036F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014547BF	37_2_014547BF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0143C960	37_2_0143C960
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0143A928	37_2_0143A928
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01422870	37_2_01422870
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01458BB0	37_2_01458BB0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014F2FD0	37_2_014F2FD0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014371A0	37_2_014371A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0142F580	37_2_0142F580
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0144DA86	37_2_0144DA86
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_014EFC40	37_2_014EFC40

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 01434380 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 008B8A60 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 008B0C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 008A1A36 appears 33 times
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00631A36 appears 34 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00648A60 appears 42 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00640C42 appears 70 times

Sample file is different than original file name gathered from version info

Source: ij4YvAl59D.exe, 00000000.00000003.1783937876.00000000027C2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs ij4YvAl59D.exe

Uses 32bit PE files

Source: ij4YvAl59D.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ij4YvAl59D.exe

Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@30/56@2/1

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0068A51A GetLastError,FormatMessageW,

16_2_0068A51A

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00678BCC AdjustTokenPrivileges,CloseHandle,	16_2_00678BCC
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0067917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	16_2_0067917C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008E8BCC AdjustTokenPrivileges,CloseHandle,	37_2_008E8BCC
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008E917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	37_2_008E917C

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00683FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

16_2_00683FB5

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006842AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

16_2_006842AA

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

File created: C:\Users\user\AppData\Local\LinkGuard Dynamics

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_03

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

File created: C:\Users\user\AppData\Local\Temp\nsu4B6A.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Command line argument: @]

16_2_00635F8B

Source: ij4YvAl59D.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Origin.pif, Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Origin.pif, 00000025.00000002.4203013330.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: ij4YvAl59D.exe	Virustotal: Detection: 59%
Source: ij4YvAl59D.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

File read: C:\Users\user\Desktop\ij4YvAl59D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ij4YvAl59D.exe "C:\Users\user\Desktop\ij4YvAl59D.exe"
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"	Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: devobj.dll	Jump to behavior

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: ij4YvAl59D.exe

Static file information: File size 17135424 > 1048576

Source: ij4YvAl59D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00648AA5 push ecx; ret	16_2_00648AB8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F88B7 push FFFFFF8Bh; iretd	37_2_008F88B9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BE86F push edi; ret	37_2_008BE871
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BE988 push esi; ret	37_2_008BE98A
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008B8AA5 push ecx; ret	37_2_008B8AB8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008ACBF1 push eax; retf	37_2_008ACBF8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BEB63 push esi; ret	37_2_008BEB65
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BEC4C push edi; ret	37_2_008BEC4E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_009072DC push eax; iretd	37_2_009072DD
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01433F59 push ecx; ret	37_2_01433F6C

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif			Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006A577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	16_2_006A577B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00635EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	16_2_00635EDA
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0091577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	37_2_0091577B
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	37_2_008A5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_006432E9

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Stalling execution: Execution stalls by calling Sleep

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	API coverage: 1.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 4592	Thread sleep count: 120 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif TID: 1700	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif TID: 1356	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif TID: 1356	Thread sleep count: 198 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif TID: 5212	Thread sleep count: 91 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_006847B7 GetFileAttributesW,FindFirstFileW,FindClose,	16_2_006847B7
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683E72
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068C16C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CB81 FindFirstFileW,FindClose,	16_2_0068CB81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	16_2_0068CC0C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F445
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	16_2_0068F5A2
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0068F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	16_2_0068F8A3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00683B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	16_2_00683B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FC16C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F47B7 GetFileAttributesW,FindFirstFileW,FindClose,	37_2_008F47B7
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCB81 FindFirstFileW,FindClose,	37_2_008FCB81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	37_2_008FCC0C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF445
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	37_2_008FF5A2
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008FF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	37_2_008FF8A3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008F3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	37_2_008F3E72
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	37_2_01432022
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01431F9C FindClose,FindFirstFileExW,GetLastError,	37_2_01431F9C

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00635D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

16_2_00635D13

Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000S
Source: Origin.pif, 00000025.00000002.4203516927.000000000181E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91e
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000M
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: SecureHawk.pif, 00000010.00000002.4205566786.0000000003C7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxE=
Source: Origin.pif, 00000025.00000002.4202967200.00000000013FB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Origin.pif, 00000025.00000002.4203516927.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-9
Source: Origin.pif, 00000025.00000002.4203516927.000000000180D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_006943B9 BlockInput,

16_2_006943B9

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00635240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

16_2_00635240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_00655BDC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_006786B0

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0064A2B5
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_0064A284 SetUnhandledExceptionFilter,	16_2_0064A284
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BA284 SetUnhandledExceptionFilter,	37_2_008BA284
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_008BA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_008BA2B5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01434184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_01434184
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_0143451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_0143451D
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 37_2_01438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_01438A64

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

37_2_014CF280

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Memory written: C:\Users\user\AppData\Local\Temp\369580\Origin.pif base: 1400000 value starts with: 4D5A

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0067914C LogonUserW,

16_2_0067914C

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00635240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

16_2_00635240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00681932 SendInput,keybd_event,

16_2_00681932

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0068507B mouse_event,

16_2_0068507B

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ij4YvAl59D.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"	Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_006786B0

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00684D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

16_2_00684D89

Source: Origin.pif, 0000000A.00000003.1828150960.0000000004A6E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 0000000A.00000000.1817508928.0000000000945000.00000002.00000001.01000000.00000005.sdmp, SecureHawk.pif, 00000010.00000002.4202781597.00000000006D5000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecureHawk.pif, Origin.pif	Binary or memory string: Shell_TrayWnd
Source: ij4YvAl59D.exe, 00000000.00000003.1783937876.00000000027B9000.00000004.00000020.00020000.00000000.sdmp, Studios.0.dr	Binary or memory string: u3;.a3xAll files (.).*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_0064878B cpuid

16_2_0064878B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	37_2_01452B5A
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_01452D5F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	37_2_01452F77
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_01452E51
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_01452E06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_01452EEC
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_014531CA
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,	37_2_0144B1B1
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_014533F9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	37_2_014532F3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	37_2_014534CF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,	37_2_0144B734
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoEx,FormatMessageA,	37_2_01431D94

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_0068E0CA

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 16_2_00660652 GetUserNameW,

16_2_00660652

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

16_2_0065409A

Source: C:\Users\user\Desktop\ij4YvAl59D.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{581A8394-A0F5-4CA9-9527-C29248E9064A}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Registry value created: Exclusions_Extensions 1

Jump to behavior

Modifies Group Policy settings

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

File written: C:\Windows\System32\GroupPolicy\GPT.INI

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: Origin.pif PID: 1592, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Origin.pif	Binary or memory string: WIN_81
Source: Origin.pif	Binary or memory string: WIN_XP
Source: Origin.pif	Binary or memory string: WIN_XPe
Source: Origin.pif.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: Origin.pif	Binary or memory string: WIN_VISTA
Source: Origin.pif	Binary or memory string: WIN_7
Source: Origin.pif	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: Origin.pif PID: 1592, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00696733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		16_2_00696733
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 16_2_00696BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		16_2_00696BF7

ID:	1576616
Product:	CloudBasic
Start time:	10:23:09
Start date:	17.12.2024
Sample:	ij4YvAl59D.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	63348a3de870f9d1a0e8dc66584529b7
SHA1:	1610b479e8415bec8a184cc00cecdef2865354f2
SHA256:	81200273f9dd78935d8bc3b61ab7bd15c4e24be31c4a10fb55504595370e977b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js	ASCII text, with no line terminators	D0B59D742D4308AAF5D7A0CC089A2C3E	DE8061AA9D6E5C38A420D998B86E0A8F03E2316E	776BA0E6FB5ACFDDC18BF19C8008B08536F5112F1DF79ABD84D7F56DC42E30DE
C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	PE32 executable (GUI) Intel 80386, for MS Windows	B06E67F9767E5023892D9698703AD098	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
C:\Users\user\AppData\Local\LinkGuard Dynamics\r	data	CE540AF01EBE7AB061B8E799882D8031	67A6C762AA5E1CB1C3623561D2A3D6AD98F150AF	15657816E7B9C8F5F8E3A73E2266186DDE03AFD3E680E20D6E14747446973684
C:\Users\user\AppData\Local\Temp\369580\Origin.pif	PE32 executable (GUI) Intel 80386, for MS Windows	B06E67F9767E5023892D9698703AD098	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
C:\Users\user\AppData\Local\Temp\369580\Z	data	CE540AF01EBE7AB061B8E799882D8031	67A6C762AA5E1CB1C3623561D2A3D6AD98F150AF	15657816E7B9C8F5F8E3A73E2266186DDE03AFD3E680E20D6E14747446973684
C:\Users\user\AppData\Local\Temp\Alot	data	E7AB122EBABDAE8843EEDA7A57C7F29A	0083D949CE43F5B549F06395BA4658461CF2A345	EE31F3476D9C7A824EF34A4E639E02F793436E5608483F43D5FBDD3FBCB22C04
C:\Users\user\AppData\Local\Temp\Bdsm	data	C7E15E6E38E166594B2C9C2A60945065	B0F80F15FE6AE9AEDB5A9BBE0D3C01D8867E2FBC	6AFE68081A9F723647DAC3276C79B46EA0577D4B3DEE7673438DB1D95989E95B
C:\Users\user\AppData\Local\Temp\Beginning	DOS executable (COM)	0FBD02AFE1832C658A9087680614B367	C3C30D9184A9AFBA434FE35679AB2D268139CEF3	D68E51F51EC32BBD131A65995DBC0387216B206DFAC652EC28A30D78D787ADA8
C:\Users\user\AppData\Local\Temp\Buck	data	D4F1427F4E333A46E2B9399B3A386ACE	8ABBA4EC1B6DD2BAB5A6702BE3EB0FF3BE18EBFD	21D0FF8C6969D0D4917B4536726EEF4406A3B41321AF3657A1AA3C31F74C79B4
C:\Users\user\AppData\Local\Temp\Chad	data	827E7D95831EA2B7AE99AFB191C98832	E0432635061534BC2B5C06A8B7D5D7EDAF983183	BDD60D53935978F3ADF4DC5AEFAF8156360F0C680E387A91AF7C4E1FC8AFDD25
C:\Users\user\AppData\Local\Temp\Consecutive	data	5CBB6AC4AFB2BDF6988C7581A9E19D46	CE87849C6CAD83A7A145283F233BF02D72358BF3	A3D48BCB65A8B7651FBAB2C36260E25487929495CCA8A9B98EF26AF3DE802517
C:\Users\user\AppData\Local\Temp\Convenience	data	B0F0B5535514047C83C7B2FA25324DCC	A010BF77C2684BF4D567243A8A1DCBD0AC07A734	5754A22B9CCA09B0E018139D55BC32FC3206E399D416DB20F7207AA9F5A38425
C:\Users\user\AppData\Local\Temp\Creator	data	24DD5D66C756FA9137D34729169A7940	1E3446FEBCB5280185648C3B763B709A10D0A3CF	564193BF3415F803065F54113098012C86B9904A7D09DAD7C004658858248C48
C:\Users\user\AppData\Local\Temp\Cruises	data	E599A7F1BA05A669849EE5C4D2657057	84176DEDF0F3886EB8AB41846A4FF5334CFF844D	5224518DDE347FD8DB57CAA13D4B502859BCF911D40D90291A67B4E9942D59FD
C:\Users\user\AppData\Local\Temp\Dental	OpenPGP Public Key	82A2EEC72B87B87BA9DD721BE71A6731	A36C87743A61C1496EE55AF68D0845961DBA1BE2	5E9D5F9719BA700F9331886B257E5CE074DDF8B07BFD097183D990833AFB208D
C:\Users\user\AppData\Local\Temp\Double	data	0653D5B9F678E342AC539C35C588F8F8	164512131FF6E3985D44A01804A1FDDDCAF6BFD5	D49CEB2DB490B316AA89C83CB694758604EFC348445B3F61ACDD5413780466CD
C:\Users\user\AppData\Local\Temp\Emotions	ASCII text, with very long lines (1341), with CRLF line terminators	E1B45CCFF8C4F9B3F37B9BE092E5FC81	69E30F418DAD45C89C119DB58E023F90952B3C12	FB199496184C801EEA454E0534DEC3CE932573892155FD8DD79EFBD4AA734B4B
C:\Users\user\AppData\Local\Temp\Emotions.cmd	ASCII text, with very long lines (1341), with CRLF line terminators	E1B45CCFF8C4F9B3F37B9BE092E5FC81	69E30F418DAD45C89C119DB58E023F90952B3C12	FB199496184C801EEA454E0534DEC3CE932573892155FD8DD79EFBD4AA734B4B
C:\Users\user\AppData\Local\Temp\Falls	data	84C31C7B0C8D4DF12F022A32DED12AA2	DC5CA7CBAB70171827B0E979CAB55388E5BF6442	86EA718EECEA2F320F22AA87FE6F11D6DD582D70506F8D53F711324C38227DDB
C:\Users\user\AppData\Local\Temp\Favourite	data	E9616A6147473B1C11D5997AF70AA41D	26D9932473118C39D788C20DBCD4EDFFCB2E195D	3AAD09EB2199702AC0845A37A25AEAE969CA90438C97D0556AAD8E1C2489093D
C:\Users\user\AppData\Local\Temp\Fight	data	35D5F58D663AF5854AF8B15634FADFCF	0D918B8ECA29301C4CD8BE1764F96BF779D6622D	B87A61A0D630FA8EE70C61BA1E4F38A8ED4EE4B592BC900E826EB5CDB9CA64DD
C:\Users\user\AppData\Local\Temp\Fighting	data	6876D6C44BAD4FBFC21325B46B63484C	9A37D6D6D4E7178A6FD840DB172184BDFF67B15F	3A97464DF93B328E7F78CD32C3734B67B41F3808B8C645846EEFC30CCCADDB7E
C:\Users\user\AppData\Local\Temp\Genre	data	D41AD902B6AEEABC9DF8D5EB457D56FF	E65E181C4957CC6536AF3918CFAB9C4790DD9DB9	DA4B25CB663E611C0F10233467FD9BF43A528CACE938DF16C04D4DDECB19F916
C:\Users\user\AppData\Local\Temp\Hay	data	A353180038BC0C56585D8B18BCD2D039	0DCDF81CB067BACFF96E58423198B9D53A68AC4D	3BC8119C6931103ABD71E920A57AB160331201005BD379236240C499E6811D1E
C:\Users\user\AppData\Local\Temp\Instance	data	59391B69D439FC7599CCB7D333193250	497BE4625681164C552963A2F02CDF18CF30EDC0	DB29B88D44504EA00B87EE4F177BB7837B17022AA82805F72FFAB6A9F4929717
C:\Users\user\AppData\Local\Temp\Joke	data	39B3BEE454F0BF8C20FA9D852BF08493	811D50772A534D58584DC59E186CD234FF7CEEAF	895AF83CCDD17BBF71E3491C2E1580DA75735A69698A586762552066C4D5BE4D
C:\Users\user\AppData\Local\Temp\June	data	77B0DEDD52B512CEA8C5CFC3E03125C0	E73DF32202E72E667994BA0E16D730F452B446D2	598AF1825F5038A77F75014D31A737C61A3577B8AA7C2CE0AD26487C504A3D75
C:\Users\user\AppData\Local\Temp\Kde	data	567BA9CE87CE234A38F42A10967EB55E	8730552D2CB7357B49279B25B34D4EBBF8834184	DFB3AEB55AF835CBEA30F3595E2845236B45305F73C7CE06A9B8E9E53329EC45
C:\Users\user\AppData\Local\Temp\Lcd	data	8CDD220B6EDD5261639FF15FB19FF044	A76846914B9AF25DA85DFD57A09C0C18406B5EF5	95E71E48E27559C30A9DD0C333A69C22F8C13BF512A459BDC7A44D045F30C5DF
C:\Users\user\AppData\Local\Temp\Mask	data	EE95191B367041AB62585FE75D565559	6BC56BE81FB1B29A0E38D9DF2D3854F36704739C	2D57FB7B3B3BF691627260F165754B5C7BC296B233197BC092BEBEDD10199198
C:\Users\user\AppData\Local\Temp\Massachusetts	data	B1200B786C5397EBB9DCBC176B229B0D	D9BFFC8766CBE6FAA64E7951DC4EB4052610225A	ACA2E1C133B9DFA829CE1705FDE04035D3775FD07F31D35EA5169D3D20C70721
C:\Users\user\AppData\Local\Temp\Older	data	228F8CE4E1CA3BAA49EB7560F7A5ADCE	F258D0EC853E88B6D1E1DD8C71A0D05E79108B6B	76F5FC75B2933F461B0C51738DE828ED895114EE84F5B5C68857666D5CA38292
C:\Users\user\AppData\Local\Temp\Opposition	data	BB2CCCF73F02DB4F7A646E95DD858E93	66928DAF33419D80C7F29458233081405D095BDF	0C4926AF83E5AB5B09A1FC44D40FF31C5DC3D25F0B94787304EEBAF878E5A923
C:\Users\user\AppData\Local\Temp\Outreach	hp200 (68010) BSD	275F1D93F40D7E0818D72D7049F32391	2A64B4E637587453B3871A566BFBAE228DCE3655	D6754CE1CE925A6401BDA0901DDF7C13557771572C9388B41ED550AE9DD71970
C:\Users\user\AppData\Local\Temp\Participants	data	31050816B2F450A717786D075367899E	A7ADE2BF93708934B9E276FCE3AA2323A25E007D	4A6FCC7E68D22A69DB4735D3900F3EA63F767D67218610AFD43EA8F1AF9B4FB5
C:\Users\user\AppData\Local\Temp\Portraits	data	A88120E86BA6642F82BA2854752F752B	3344518B5CD114855C28807EDA8DF0BD7BCB3293	403446E9ADF7A1B92B7B067933DA55A2E16A866BB317C5CF1884A7F2B3D3FEF1
C:\Users\user\AppData\Local\Temp\Quebec	data	A8E1EEDC8535B6279C38AFCACF58FD7E	05FB410C23AD68942B2F4FB8E667E8DA076FAB5D	DDF7E69C7CEC0A248D18BE08965A74F2F05755541258AEFA3DCA0CEA68186794
C:\Users\user\AppData\Local\Temp\Race	data	9EEDB42201838CBA7570A89AD64AD7F2	EA79B5DFA8BDCC2AC78BB21AC2755C21106F7299	1D0B6945F207DBF0A5F014AB15A124061F4BACF2C7198A52BE22549B24DF7A7E
C:\Users\user\AppData\Local\Temp\Radius	data	1D5D54B6E631BFE5326A58FD4F4E51A5	7290D85223FE25CF1E97CD476C6DC912DC85A31D	1539BC762107D3365CC8B89200F744FE6128180DF90624697C5A01351C66EEDE
C:\Users\user\AppData\Local\Temp\Referring	data	7E90051279FD9FEFB47BD91AD73B84A2	708B9CBFF00F11E44EA48F1DDEAC3903B767F135	345CFF1F961BC66E4A5B41224D87DA5D0473DAAE9BDF2C39152D31642D324E59
C:\Users\user\AppData\Local\Temp\Richmond	data	007AD2509FC5EB8C45ABB18FD9453D9A	134A3E886D13919AA4F1640B64E8F4ABBC7517C4	C04D04B33A1D01623232179BF43B500248EC82037896D7D5F59BC12343F36C53
C:\Users\user\AppData\Local\Temp\Seek	data	0913A5290E2124D926F0BB85963A39A1	7A21A7E07C48BC1540B477C93C295576BD1D06E5	CAF36EB19FE881753A0487540673B4B2DF3E528893CC5B3CE5843856B4A8BD8D
C:\Users\user\AppData\Local\Temp\Severe	data	496BC58AB55492C6FF50B4B5FB12226D	C122773FD32BA5000B4637D21C92AEACA4DD982B	3795AE53D60FD640A16642A2585F12783D84E963DE9C1A605286977511381A5A
C:\Users\user\AppData\Local\Temp\Sig	data	F2672513A6295F6009C6A701631E5248	9D1FFAB9FFD4C4B112DA0AB9A9FF9B9AF195F6BF	289DEC0B62B622A5478869DFA7743313B5F954C529A5279D73786E3BC9EFEFD8
C:\Users\user\AppData\Local\Temp\Sn	data	565C34A01AB8904E85EF374CC03651A4	0DD3C73AABE9B950C356921221DCA747EB8B9011	936926C20932948640765731B8D130F0230249CD30FB30447734D61F621A2704
C:\Users\user\AppData\Local\Temp\Stockings	data	6675D3E1DA6AA19BB5135860F0EA0D37	D3C81ABFC7C14E7A73F31DAA3078FD31394E2859	A9A5D51B384D8C3F746A8881A46C285D2EFD7291386C794AE9B7640D4BCFD500
C:\Users\user\AppData\Local\Temp\Studios	data	75318145A2346FADDDE0AD48BFB0D31D	11139B56D08EBD2CA1C220D222B44FFA04C2B301	C386693C1913B1EB863E09727B8E18CAE277849F6F16A4028EB68233AEE4396D
C:\Users\user\AppData\Local\Temp\Tags	data	93E1FB7C29E1C5D82D72013FD87585A2	F8A28C23DC625DF120E1C29E2A9E14BF6F9E07F3	B910C0C4E8DFC593B3925AFC41F5BB1A5FA86A145E62577307AF2F7FF6427830
C:\Users\user\AppData\Local\Temp\Thereof	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	C3DF7A4BAE78D93A1AA952A415619D40	93CC13AA30F070C943BAE96ECFCF4505CA13CF98	47C455D9E9834DB22C39BC8B1D3D3B4DFC15207647CCBFEA35A16F7CAF11A442
C:\Users\user\AppData\Local\Temp\Things	data	ECD876C831C2B3E1708FE81C1053EEE4	627E0C5B56DA36FF30F5A9E8BE218525AE3A8059	1618767B6776FE41E17E4841FD9DA532D0A59563342DC174D143FD42111B3DDB
C:\Users\user\AppData\Local\Temp\Tokyo	data	BEDA7B30D256F7E4D8EE5876D0B262C5	7DBB99BBC4DD7D23FCF9834488AA59F6B50BBA51	8414705DD0333529CD4077588EE720BCF32E5BC28CAF90F552F73341BB0AE54F
C:\Users\user\AppData\Local\Temp\Vendor	data	3032F7CAD7D5FDC76480D35C1B96F1D7	17118E193C859BA96F330F2DFA8CF3994AB6AE6B	8787ADE46BC3D7F369535A52AD0DDEEFB014652D8E2B83A531A7498E2770C2E3
C:\Users\user\AppData\Local\Temp\Violence	data	A8592B01E55B70C3C7D82383CBEA914B	3F5BC91EF9658DA1B8B3BD21F4C477EFEEFA9779	BA7160B3E08911B714F3AC8A40F2222745E31A187811BB69CEDCDF27AD83007C
C:\Windows\SysWOW64\GroupPolicy\gpt.ini	ASCII text, with CRLF line terminators	EC3584F3DB838942EC3669DB02DC908E	8DCEB96874D5C6425EBB81BFEE587244C89416DA	77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
C:\Windows\System32\GroupPolicy\GPT.INI	ASCII text, with CRLF line terminators	8EF9853D1881C5FE4D681BFB31282A01	A05609065520E4B4E553784C566430AD9736F19F	9228F13D82C3DC96B957769F6081E5BAC53CFFCA4FFDE0BA1E102D9968F184A2
C:\Windows\System32\GroupPolicy\Machine\Registry.pol	RAGE Package Format (RPF),	CDFD60E717A44C2349B553E011958B85	431136102A6FB52A00E416964D4C27089155F73B	0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F

Windows Analysis Report
ij4YvAl59D.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report ij4YvAl59D.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
ij4YvAl59D.exe