Windows Analysis Report
e0N07wherG.exe

AV Detection

Source: e0N07wherG.exe	Virustotal: Detection: 54%			Perma Link
Source: e0N07wherG.exe	ReversingLabs: Detection: 44%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Cryptography

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Code function: 21_2_016C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

21_2_016C6B00

Compliance

Source: e0N07wherG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: e0N07wherG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,		0_2_004062D5
Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_00402E18 FindFirstFileW,		0_2_00402E18
Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406C9B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C47B7 GetFileAttributesW,FindFirstFileW,FindClose,		17_2_007C47B7
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		17_2_007C3E72
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		17_2_007CC16C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CCB81 FindFirstFileW,FindClose,		17_2_007CCB81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		17_2_007CCC0C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		17_2_007CF445
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		17_2_007CF5A2
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		17_2_007CF8A3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		17_2_007C3B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		21_2_0063C16C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_006347B7 GetFileAttributesW,FindFirstFileW,FindClose,		21_2_006347B7
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063CB81 FindFirstFileW,FindClose,		21_2_0063CB81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		21_2_0063CC0C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		21_2_0063F445
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		21_2_0063F5A2
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		21_2_0063F8A3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00633B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		21_2_00633B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00633E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		21_2_00633E72
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01632022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,		21_2_01632022
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,		21_2_016C6000
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		21_2_016E6770

Networking

Source: Network traffic

Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.8:49708 -> 3.36.173.8:50500

Source: unknown

DNS traffic detected: query: jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007D279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

17_2_007D279E

Source: global traffic

DNS traffic detected: DNS query: jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD

Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: e0N07wherG.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3937581301.000000000194F000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3937581301.000000000194F000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: e0N07wherG.exe, 00000000.00000003.1509837357.0000000002991000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 0000000B.00000000.1549342222.0000000000698000.00000002.00000001.01000000.00000005.sdmp, SecureHawk.pif, 00000011.00000002.3937177437.0000000000828000.00000002.00000001.01000000.00000008.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3937136237.0000000000698000.00000002.00000001.01000000.00000005.sdmp, Origin.pif.2.dr, Studios.0.dr, SecureHawk.pif.11.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Origin.pif, Origin.pif, 00000015.00000002.3937280217.0000000001600000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Origin.pif	String found in binary or memory: https://ipinfo.io/
Source: Origin.pif, 00000015.00000002.3937280217.0000000001600000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Origin.pif, 00000015.00000002.3937581301.0000000001907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: e0N07wherG.exe, 00000000.00000003.1478531679.0000000002983000.00000004.00000020.00020000.00000000.sdmp, Origin.pif, 0000000B.00000003.1559796680.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Origin.pif, 00000015.00000002.3938032751.00000000056DC000.00000004.00000020.00020000.00000000.sdmp, Origin.pif.2.dr, SecureHawk.pif.11.dr, Beginning.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: Origin.pif	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\e0N07wherG.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007D4614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		17_2_007D4614
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00644614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		21_2_00644614

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007D4416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

17_2_007D4416

Source: C:\Users\user\Desktop\e0N07wherG.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007ECEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		17_2_007ECEDF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0065CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		21_2_0065CEDF

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Fighting entropy: 7.99892313786			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\June entropy: 7.99829631291			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Massachusetts entropy: 7.99846554018			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Radius entropy: 7.99902505433			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Stockings entropy: 7.99820786051			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Bdsm entropy: 7.99861815368			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Vendor entropy: 7.99556101212			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Convenience entropy: 7.99573659303			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Joke entropy: 7.99883402213			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Severe entropy: 7.99824795157			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Falls entropy: 7.99917331785			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Sig entropy: 7.9984885368			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Outreach entropy: 7.99921983985			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Dental entropy: 7.99901607447			Jump to dropped file
Source: C:\Users\user\Desktop\e0N07wherG.exe	File created: C:\Users\user\AppData\Local\Temp\Mask entropy: 7.99382891469			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Z entropy: 7.99991695551			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\r entropy: 7.99991695551			Jump to dropped file

System Summary

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js"

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007C40C1: CreateFileW,DeviceIoControl,CloseHandle,

17_2_007C40C1

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007B8D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

17_2_007B8D11

Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		17_2_007C55E5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_006355E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		21_2_006355E5

Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_0040497C		0_2_0040497C
Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_00406ED2		0_2_00406ED2
Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_004074BB		0_2_004074BB
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0076B020		17_2_0076B020
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007694E0		17_2_007694E0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00769C80		17_2_00769C80
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007E81C8		17_2_007E81C8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00782325		17_2_00782325
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00796432		17_2_00796432
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0079258E		17_2_0079258E
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0076E6F0		17_2_0076E6F0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0078275A		17_2_0078275A
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007E0802		17_2_007E0802
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007988EF		17_2_007988EF
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007969A4		17_2_007969A4
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00770BE0		17_2_00770BE0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007BEB95		17_2_007BEB95
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007E0C7F		17_2_007E0C7F
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C8CB1		17_2_007C8CB1
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0078CC81		17_2_0078CC81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00796F16		17_2_00796F16
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007832E9		17_2_007832E9
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0078F339		17_2_0078F339
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0077D457		17_2_0077D457
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0077F57E		17_2_0077F57E
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007815E4		17_2_007815E4
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00761663		17_2_00761663
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0076F6A0		17_2_0076F6A0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007877F3		17_2_007877F3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00781AD8		17_2_00781AD8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0078DAD5		17_2_0078DAD5
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00799C15		17_2_00799C15
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0077DD14		17_2_0077DD14
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00781EF0		17_2_00781EF0
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0078BF06		17_2_0078BF06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_006581C8		21_2_006581C8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F2325		21_2_005F2325
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00606432		21_2_00606432
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0060258E		21_2_0060258E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005DE6F0		21_2_005DE6F0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F275A		21_2_005F275A
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00650802		21_2_00650802
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_006088EF		21_2_006088EF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_006069A4		21_2_006069A4
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005E0BE0		21_2_005E0BE0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0062EB95		21_2_0062EB95
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00650C7F		21_2_00650C7F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00638CB1		21_2_00638CB1
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005FCC81		21_2_005FCC81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00606F16		21_2_00606F16
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005DB020		21_2_005DB020
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F32E9		21_2_005F32E9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005FF339		21_2_005FF339
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005ED457		21_2_005ED457
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005D94E0		21_2_005D94E0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005EF57E		21_2_005EF57E
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F15E4		21_2_005F15E4
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005D1663		21_2_005D1663
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005DF6A0		21_2_005DF6A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F77F3		21_2_005F77F3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F1AD8		21_2_005F1AD8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005FDAD5		21_2_005FDAD5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00609C15		21_2_00609C15
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005D9C80		21_2_005D9C80
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005EDD14		21_2_005EDD14
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F1EF0		21_2_005F1EF0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005FBF06		21_2_005FBF06
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01708120		21_2_01708120
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016371A0		21_2_016371A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_017031A0		21_2_017031A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0164002D		21_2_0164002D
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016F60E0		21_2_016F60E0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_017220D0		21_2_017220D0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0164036F		21_2_0164036F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016A4320		21_2_016A4320
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01712260		21_2_01712260
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0170A2B0		21_2_0170A2B0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01714550		21_2_01714550
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0173F550		21_2_0173F550
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016F85F0		21_2_016F85F0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0162F580		21_2_0162F580
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016F0450		21_2_016F0450
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016FA480		21_2_016FA480
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01747760		21_2_01747760
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016F7730		21_2_016F7730
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016E77E0		21_2_016E77E0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_017397B0		21_2_017397B0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016547BF		21_2_016547BF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01652610		21_2_01652610
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016A3610		21_2_016A3610
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_017486C0		21_2_017486C0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0163C960		21_2_0163C960
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01746970		21_2_01746970
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016F7960		21_2_016F7960
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0163A928		21_2_0163A928
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016FA930		21_2_016FA930
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016EF9A0		21_2_016EF9A0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016F2820		21_2_016F2820
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016F8B40		21_2_016F8B40
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0171DBB0		21_2_0171DBB0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01700BA0		21_2_01700BA0
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01658BB0		21_2_01658BB0

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00771A36 appears 34 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00780C42 appears 70 times
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: String function: 00788A60 appears 42 times
Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 01747510 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 01634380 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 005F8A60 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 005E1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: String function: 005F0C42 appears 70 times

Source: e0N07wherG.exe, 00000000.00000002.1516710723.000000000085A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs e0N07wherG.exe
Source: e0N07wherG.exe, 00000000.00000003.1509837357.0000000002991000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs e0N07wherG.exe

Source: e0N07wherG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: e0N07wherG.exe

Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@31/53@1/0

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007CA51A GetLastError,FormatMessageW,

17_2_007CA51A

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007B8BCC AdjustTokenPrivileges,CloseHandle,		17_2_007B8BCC
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007B917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		17_2_007B917C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00628BCC AdjustTokenPrivileges,CloseHandle,		21_2_00628BCC
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0062917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		21_2_0062917C

Source: C:\Users\user\Desktop\e0N07wherG.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007C3FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

17_2_007C3FB5

Source: C:\Users\user\Desktop\e0N07wherG.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007C42AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

17_2_007C42AA

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

File created: C:\Users\user\AppData\Local\LinkGuard Dynamics

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Users\user\Desktop\e0N07wherG.exe

File created: C:\Users\user\AppData\Local\Temp\nsk62BC.tmp

Jump to behavior

Source: e0N07wherG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\e0N07wherG.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\e0N07wherG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Origin.pif, Origin.pif, 00000015.00000002.3937280217.0000000001600000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Origin.pif, 00000015.00000002.3937280217.0000000001600000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: e0N07wherG.exe	Virustotal: Detection: 54%
Source: e0N07wherG.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\e0N07wherG.exe

File read: C:\Users\user\Desktop\e0N07wherG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e0N07wherG.exe "C:\Users\user\Desktop\e0N07wherG.exe"
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"
Source: C:\Windows\SysWOW64\findstr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"			Jump to behavior

Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: d3d10warp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Section loaded: dxcore.dll			Jump to behavior

Source: C:\Users\user\Desktop\e0N07wherG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: e0N07wherG.exe

Static file information: File size 19665452 > 1048576

Source: e0N07wherG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: C:\Users\user\Desktop\e0N07wherG.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00788AA5 push ecx; ret		17_2_00788AB8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0077CBE0 push eax; retf		17_2_0077CBF8
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0077CC07 push eax; retf		17_2_0077CBF8
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005F8AA5 push ecx; ret		21_2_005F8AB8

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	File created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007E577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		17_2_007E577B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_00775EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		17_2_00775EDA
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0065577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		21_2_0065577B
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005E5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		21_2_005E5EDA

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007832E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

17_2_007832E9

Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\e0N07wherG.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Source: C:\Users\user\Desktop\e0N07wherG.exe

Stalling execution: Execution stalls by calling Sleep

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

21_2_0165DB00

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 2160	Thread sleep count: 117 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif TID: 7144	Thread sleep count: 67 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Code function: 21_2_017449B0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 017449F1h

21_2_017449B0

Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,		0_2_004062D5
Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_00402E18 FindFirstFileW,		0_2_00402E18
Source: C:\Users\user\Desktop\e0N07wherG.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406C9B
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C47B7 GetFileAttributesW,FindFirstFileW,FindClose,		17_2_007C47B7
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		17_2_007C3E72
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		17_2_007CC16C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CCB81 FindFirstFileW,FindClose,		17_2_007CCB81
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		17_2_007CCC0C
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		17_2_007CF445
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		17_2_007CF5A2
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007CF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		17_2_007CF8A3
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007C3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		17_2_007C3B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		21_2_0063C16C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_006347B7 GetFileAttributesW,FindFirstFileW,FindClose,		21_2_006347B7
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063CB81 FindFirstFileW,FindClose,		21_2_0063CB81
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		21_2_0063CC0C
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		21_2_0063F445
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		21_2_0063F5A2
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0063F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		21_2_0063F8A3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00633B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		21_2_00633B4F
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_00633E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		21_2_00633E72
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01632022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,		21_2_01632022
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,		21_2_016C6000
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		21_2_016E6770

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_00775D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

17_2_00775D13

Source: SecureHawk.pif, 00000011.00000002.3939264231.0000000003DBE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007D43B9 BlockInput,

17_2_007D43B9

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_00775240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

17_2_00775240

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_00795BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

17_2_00795BDC

Source: C:\Users\user\Desktop\e0N07wherG.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0165DB00 mov eax, dword ptr fs:[00000030h]		21_2_0165DB00
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0165DB00 mov eax, dword ptr fs:[00000030h]		21_2_0165DB00
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_016D6280 mov eax, dword ptr fs:[00000030h]		21_2_016D6280

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007B86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

17_2_007B86B0

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0078A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		17_2_0078A2B5
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_0078A284 SetUnhandledExceptionFilter,		17_2_0078A284
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005FA284 SetUnhandledExceptionFilter,		21_2_005FA284
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_005FA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		21_2_005FA2B5
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01634184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		21_2_01634184
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_0163451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		21_2_0163451D
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: 21_2_01638A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		21_2_01638A64

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif

Memory written: C:\Users\user\AppData\Local\Temp\369580\Origin.pif base: 1600000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007B914C LogonUserW,

17_2_007B914C

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_00775240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

17_2_00775240

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007C1932 SendInput,keybd_event,

17_2_007C1932

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007C507B mouse_event,

17_2_007C507B

Source: C:\Users\user\Desktop\e0N07wherG.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 369580			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomsCompoundInjection" Participants			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif 369580\Origin.pif 369580\Z			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 15			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Process created: C:\Users\user\AppData\Local\Temp\369580\Origin.pif C:\Users\user\AppData\Local\Temp\369580\Origin.pif			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif "C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif" "C:\Users\user\AppData\Local\LinkGuard Dynamics\r"			Jump to behavior

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007B86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

17_2_007B86B0

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007C4D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

17_2_007C4D89

Source: Origin.pif, 0000000B.00000000.1549238392.0000000000685000.00000002.00000001.01000000.00000005.sdmp, Origin.pif, 0000000B.00000003.1559796680.0000000004590000.00000004.00000800.00020000.00000000.sdmp, SecureHawk.pif, 00000011.00000002.3937066754.0000000000815000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecureHawk.pif, Origin.pif	Binary or memory string: Shell_TrayWnd
Source: e0N07wherG.exe, 00000000.00000003.1509837357.0000000002988000.00000004.00000020.00020000.00000000.sdmp, Studios.0.dr	Binary or memory string: u3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_0078878B cpuid

17_2_0078878B

Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,		21_2_016531CA
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: EnumSystemLocalesW,		21_2_0164B1B1
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,		21_2_016533F9
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		21_2_016532F3
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		21_2_016534CF
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetLocaleInfoW,		21_2_0164B734
Source: C:\Users\user\AppData\Local\Temp\369580\Origin.pif	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,		21_2_01652B5A

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007CE0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

17_2_007CE0CA

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_007A0652 GetUserNameW,

17_2_007A0652

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif

Code function: 17_2_0079409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

17_2_0079409A

Source: C:\Users\user\Desktop\e0N07wherG.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: Origin.pif PID: 2108, type: MEMORYSTR

Source: Origin.pif	Binary or memory string: WIN_81
Source: Origin.pif	Binary or memory string: WIN_XP
Source: Origin.pif	Binary or memory string: WIN_XPe
Source: SecureHawk.pif.11.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: Origin.pif	Binary or memory string: WIN_VISTA
Source: Origin.pif	Binary or memory string: WIN_7
Source: Origin.pif	Binary or memory string: WIN_8

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: Origin.pif PID: 2108, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007D6733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		17_2_007D6733
Source: C:\Users\user\AppData\Local\LinkGuard Dynamics\SecureHawk.pif	Code function: 17_2_007D6BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		17_2_007D6BF7