Windows Analysis Report
Ref#2056119.exe

Overview

General Information

Sample name:	Ref#2056119.exe
Analysis ID:	1562370
MD5:	2c4db8b396dff48ba1e6ae44bd9aae08
SHA1:	79319657ecfb6f4f7b13ab1e99df278a53b7d101
SHA256:	be5ca82d327d53fc7eb8719289394cf37cc1f45d39429b8e527d600193b706e0
Tags:	AgentTeslaexeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000008.00000002.3113434795.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["89.40.31.232"], "Port": 1717, "Aes key": "1717", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk", "Telegram Chatid": "793028759"}
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ishon.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Ref#2056119.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ishon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ref#2056119.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 89.40.31.232
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 1717
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 28Nov2024
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: Ref#2056119.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: Ref#2056119.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbsR source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb@RqN source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Liphmahu.PDB source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n,C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715402Ch	0_2_07153E12
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715402Ch	0_2_07153E20
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 071536EFh	0_2_07153690
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 071536EFh	0_2_07153682
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A6EF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A505
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A3B8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A3C8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A490
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A480
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A84C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D84475h	4_2_05D84280
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D84475h	4_2_05D84270
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748402Ch	7_2_07483E12
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748402Ch	7_2_07483E20
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 074836EFh	7_2_07483682
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 074836EFh	7_2_07483690
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A505
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A3C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A3B8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49757 -> 162.254.34.31:587

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 89.40.31.232

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 162.254.34.31:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /417440cce6502c1c57308172e9826dec.mp4 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 162.254.34.31 162.254.34.31

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 162.254.34.31:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /417440cce6502c1c57308172e9826dec.mp4 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: cia.tf
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3135918315.000000000555B000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.000000000117E000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Liphmahu.exe, 00000004.00000002.2209273870.00000000060D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf
Source: Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/417440cce6502c1c57308172e9826dec.mp4HI
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI
Source: ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI=
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F008 NtResumeThread,	0_2_0715F008
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F002 NtResumeThread,	0_2_0715F002
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F138 NtResumeThread,	4_2_05D8F138
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F130 NtResumeThread,	4_2_05D8F130
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E870 NtProtectVirtualMemory,	4_2_06A2E870
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E868 NtProtectVirtualMemory,	4_2_06A2E868
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2CC88 NtProtectVirtualMemory,	7_2_06E2CC88
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F140 NtResumeThread,	7_2_06E2F140
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2CC81 NtProtectVirtualMemory,	7_2_06E2CC81
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F138 NtResumeThread,	7_2_06E2F138

Detected potential crypto function

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133CB14	0_2_0133CB14
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133F3B8	0_2_0133F3B8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133F3A8	0_2_0133F3A8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_064F0006	0_2_064F0006
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A1200	0_2_070A1200
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A22B3	0_2_070A22B3
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A22C0	0_2_070A22C0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A2840	0_2_070A2840
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071435E8	0_2_071435E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714B9C8	0_2_0714B9C8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071465AA	0_2_071465AA
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071435D8	0_2_071435D8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07142330	0_2_07142330
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07142340	0_2_07142340
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714CA38	0_2_0714CA38
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714CA48	0_2_0714CA48
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714392A	0_2_0714392A
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071559B0	0_2_071559B0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715A505	0_2_0715A505
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071563BF	0_2_071563BF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071563D0	0_2_071563D0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071559A0	0_2_071559A0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07150040	0_2_07150040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F898	0_2_0715F898
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F888	0_2_0715F888
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07173798	0_2_07173798
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071767DB	0_2_071767DB
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07174E48	0_2_07174E48
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717BBD8	0_2_0717BBD8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717BBC8	0_2_0717BBC8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717A9D8	0_2_0717A9D8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717A9E8	0_2_0717A9E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717001D	0_2_0717001D
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07170040	0_2_07170040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07430040	0_2_07430040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07430367	0_2_07430367
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07431248	0_2_07431248
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B2F30	0_2_074B2F30
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BB0F0	0_2_074BB0F0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B2F20	0_2_074B2F20
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BE218	0_2_074BE218
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BE1B9	0_2_074BE1B9
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BB0E0	0_2_074BB0E0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_075A0040	0_2_075A0040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_075A0013	0_2_075A0013
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091CB14	4_2_0091CB14
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091F3B8	4_2_0091F3B8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091F3A8	4_2_0091F3A8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43DC8	4_2_05D43DC8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4BF56	4_2_05D4BF56
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43307	4_2_05D43307
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43DB8	4_2_05D43DB8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43442	4_2_05D43442
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4CF58	4_2_05D4CF58
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4CF48	4_2_05D4CF48
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4338C	4_2_05D4338C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D42B48	4_2_05D42B48
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D42B38	4_2_05D42B38
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4333B	4_2_05D4333B
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D44291	4_2_05D44291
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43278	4_2_05D43278
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43268	4_2_05D43268
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D603C8	4_2_05D603C8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D615E0	4_2_05D615E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D606FF	4_2_05D606FF
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A490	4_2_05D8A490
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D806B8	4_2_05D806B8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D859E0	4_2_05D859E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D89820	4_2_05D89820
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A480	4_2_05D8A480
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D846E8	4_2_05D846E8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FE62	4_2_05D8FE62
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F9D0	4_2_05D8F9D0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F9E0	4_2_05D8F9E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A84C	4_2_05D8A84C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D89811	4_2_05D89811
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8BB4F	4_2_05D8BB4F
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FB6D	4_2_05D8FB6D
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FAB3	4_2_05D8FAB3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FAB6	4_2_05D8FAB6
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87A54	4_2_05D87A54
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FA54	4_2_05D8FA54
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87A60	4_2_05D87A60
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067CF160	4_2_067CF160
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C0DB0	4_2_067C0DB0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C0DA3	4_2_067C0DA3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C1233	4_2_067C1233
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C12D8	4_2_067C12D8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C1328	4_2_067C1328
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0680B640	4_2_0680B640
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06805B78	4_2_06805B78
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_068048A8	4_2_068048A8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_068074EB	4_2_068074EB
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06801223	4_2_06801223
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0680B62F	4_2_0680B62F
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06801230	4_2_06801230
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06804898	4_2_06804898
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06809819	4_2_06809819
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2B460	4_2_06A2B460
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26C40	4_2_06A26C40
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A24988	4_2_06A24988
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26C3A	4_2_06A26C3A
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2B450	4_2_06A2B450
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E5F0	4_2_06A2E5F0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26DC3	4_2_06A26DC3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2D910	4_2_06A2D910
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C7E750	4_2_06C7E750
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C60040	4_2_06C60040
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C60007	4_2_06C60007
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129E508	5_2_0129E508
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129D990	5_2_0129D990
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129AA12	5_2_0129AA12
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01294A98	5_2_01294A98
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01293E80	5_2_01293E80
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_012941C8	5_2_012941C8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01294A8E	5_2_01294A8E
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01293E74	5_2_01293E74
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B36668	5_2_06B36668
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B35640	5_2_06B35640
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B37DF0	5_2_06B37DF0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3B2A3	5_2_06B3B2A3
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3C200	5_2_06B3C200
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B33100	5_2_06B33100
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B37710	5_2_06B37710
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3E418	5_2_06B3E418
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B32409	5_2_06B32409
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B35D5F	5_2_06B35D5F
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B30040	5_2_06B30040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B30006	5_2_06B30006
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DCB14	7_2_017DCB14
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DF3B8	7_2_017DF3B8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DF3A8	7_2_017DF3A8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E298B0	7_2_06E298B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2C9D8	7_2_06E2C9D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2C978	7_2_06E2C978
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E298A0	7_2_06E298A0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F9C1	7_2_06E2F9C1
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F9D0	7_2_06E2F9D0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F09F8	7_2_073F09F8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F1EB8	7_2_073F1EB8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F1EAA	7_2_073F1EAA
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F2438	7_2_073F2438
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074859B0	7_2_074859B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0748A505	7_2_0748A505
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074863D0	7_2_074863D0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074863BF	7_2_074863BF
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0748EA09	7_2_0748EA09
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074859A0	7_2_074859A0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07480040	7_2_07480040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074935E8	7_2_074935E8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749B9C8	7_2_0749B9C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074935D8	7_2_074935D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074965AA	7_2_074965AA
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07492340	7_2_07492340
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07492330	7_2_07492330
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749CA48	7_2_0749CA48
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749CA38	7_2_0749CA38
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749392A	7_2_0749392A
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C67DB	7_2_074C67DB
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C3798	7_2_074C3798
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C4E38	7_2_074C4E38
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CBBC8	7_2_074CBBC8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CBBD8	7_2_074CBBD8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CA9D8	7_2_074CA9D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CA9E8	7_2_074CA9E8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C0040	7_2_074C0040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C0006	7_2_074C0006
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07700040	7_2_07700040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07700367	7_2_07700367
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07701248	7_2_07701248
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_078F0007	7_2_078F0007
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_078F0040	7_2_078F0040
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 8_2_01381680	8_2_01381680
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B41C8	12_2_013B41C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013BE280	12_2_013BE280
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013BAA18	12_2_013BAA18
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B4A98	12_2_013B4A98
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B3E80	12_2_013B3E80
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B66668	12_2_06B66668
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B65640	12_2_06B65640
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B62418	12_2_06B62418
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B67DF0	12_2_06B67DF0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6B2B0	12_2_06B6B2B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6C200	12_2_06B6C200
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B67710	12_2_06B67710
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6E418	12_2_06B6E418
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B65D70	12_2_06B65D70
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B60040	12_2_06B60040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B60006	12_2_06B60006

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932

PE / OLE file has an invalid certificate

Source: Ref#2056119.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: Ref#2056119.exe, 00000000.00000002.2030087377.000000000108E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2059133094.0000000007680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLiphk vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2053393935.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameZtyrhxmwj.dll" vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLiphmahu.exeF vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000005.00000002.3110409320.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ref#2056119.exe

Uses 32bit PE files

Source: Ref#2056119.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Ref#2056119.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Liphmahu.exe.0.dr, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ishon.exe.0.dr, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ref#2056119.exe.40d0d40.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@13/4@2/3

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ishon.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnzzEC3SI3U6Qmbo
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:64:WilError_03

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"

Source: Ref#2056119.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ref#2056119.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Ref#2056119.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ref#2056119.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Ref#2056119.exe

File read: C:\Users\user\Desktop\Ref#2056119.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"

Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Ref#2056119.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ref#2056119.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbsR source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb@RqN source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Liphmahu.PDB source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n,C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.Liphmahu.exe.6890000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.3630ad0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.71f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2215628448.0000000006890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055273808.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133DA98 pushad ; ret	0_2_0133DA99
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1913 push eax; ret	0_2_070F191D
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1C88 push eax; retf	0_2_070F1E11
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1C83 push eax; retf	0_2_070F1E11
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714E65A push eax; retf	0_2_0714E661
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714E9DC push esp; iretd	0_2_0714E9F1
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071584DF push edi; iretd	0_2_071584FF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07153A12 push BA051AC2h; retf	0_2_07153A17
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717C929 push BA051AC2h; ret	0_2_0717C92E
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071781B9 pushad ; iretd	0_2_071781C5
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0743552D push FFFFFF8Bh; iretd	0_2_0743552F
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07435405 push FFFFFF8Bh; iretd	0_2_07435407
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074353EC push FFFFFF8Bh; ret	0_2_074353F0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074353B1 push FFFFFF8Bh; ret	0_2_074353B6
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07434AFA push 8BF08B6Ah; retf	0_2_07434AFF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0743E1E3 push 8BD08B6Bh; retf	0_2_0743E1E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B53A0 push eax; ret	0_2_074B53A1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091E998 pushad ; retf	4_2_0091E9B6
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091DA98 pushad ; ret	4_2_0091DA99
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D25191 pushad ; ret	4_2_05D251F1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D25198 pushad ; ret	4_2_05D251F1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D21913 push eax; ret	4_2_05D2191D
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4EDBA pushfd ; iretd	4_2_05D4EDC1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83DDD push BA04A3C2h; retf	4_2_05D83DE2
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F571 push BA04A3C2h; retn 0001h	4_2_05D8F576
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D884BA push 3005D7CBh; iretd	4_2_05D884C5
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87690 pushfd ; ret	4_2_05D87691
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83EA3 push BA04A3C2h; retf	4_2_05D83EA8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F679 push BA04A3C2h; retn 0001h	4_2_05D8F67E
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83BB6 push BA04A3C2h; ret	4_2_05D83BBB
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C45B3 push ss; iretd	4_2_067C45B9

Drops PE files

Source: C:\Users\user\Desktop\Ref#2056119.exe	File created: C:\Users\user\AppData\Roaming\ishon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Ref#2056119.exe	File created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 44A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 4DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 4C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 13B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 7374	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 1923	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Window / User API: threadDelayed 3372	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Window / User API: threadDelayed 1650	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 1358	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 4720	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 2196
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 4986
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 5721
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 1653

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7560	Thread sleep count: 7374 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7560	Thread sleep count: 1923 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98179s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96901s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95194s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -94956s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -94830s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99854s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7908	Thread sleep count: 3372 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7908	Thread sleep count: 1650 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99330s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99055s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98534s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97294s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96946s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96824s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96573s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96090s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8100	Thread sleep count: 1358 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99520s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99292s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8100	Thread sleep count: 4720 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99148s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97193s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97074s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2852	Thread sleep count: 2196 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99886s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2676	Thread sleep count: 4986 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98891s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98479s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98341s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98075s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97969s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97422s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97094s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -95967s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -95789s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2640	Thread sleep count: 5721 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2640	Thread sleep count: 1653 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99407s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98813s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98688s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98344s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97840s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97715s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97493s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97266s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97141s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97016s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96907s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96782s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96657s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96313s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96188s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95828s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95719s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\ishon.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ishon.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99655	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98670	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98543	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98179	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97998	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97575	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96901	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96671	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96230	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95999	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95888	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95765	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95546	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95435	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95324	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95194	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 94956	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 94830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99854	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99330	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99055	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98534	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98157	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97294	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96946	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96824	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96573	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96356	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96090	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99828	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99520	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99292	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99148	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97871	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97762	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97193	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97074	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96464	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96357	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96015	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95797	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95687	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95468	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95359	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99886
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98891
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98641
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98479
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98341
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98075
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97969
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97531
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97422
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97094
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96656
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96546
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96328
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96219
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96078
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95967
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95789
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99407
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98813
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98688
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98344
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97840
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97715
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97493
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97266
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97141
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97016
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96907
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96782
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96657
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96438
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96313
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96188
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95938
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95828
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95719
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: Ref#2056119.exe, 00000000.00000002.2053393935.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: iNHGFs8Tfb
Source: ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Liphmahu.exe, 00000004.00000002.2191181764.000000000083B000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.0000000001491000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Ref#2056119.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory written: C:\Users\user\Desktop\Ref#2056119.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory written: C:\Users\user\AppData\Local\Temp\Liphmahu.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory written: C:\Users\user\AppData\Roaming\ishon.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Users\user\Desktop\Ref#2056119.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Liphmahu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Users\user\Desktop\Ref#2056119.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Liphmahu.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 6104, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\ishon.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Ref#2056119.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 6104, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.129.178	cia.tf	United States	13335	CLOUDFLARENETUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
162.254.34.31	unknown	United States	64200	VIVIDHOSTINGUS	true

Contacted Domains

Name	IP	Active
cia.tf	172.67.129.178	true
api.ipify.org	104.26.13.205	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cia.tf/417440cce6502c1c57308172e9826dec.mp4	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/	false		high
https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdf	false	Avira URL Cloud: safe	unknown
89.40.31.232	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000008.00000002.3113434795.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["89.40.31.232"], "Port": 1717, "Aes key": "1717", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk", "Telegram Chatid": "793028759"}
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ishon.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Ref#2056119.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ishon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ref#2056119.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 89.40.31.232
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 1717
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 28Nov2024
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: Ref#2056119.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: Ref#2056119.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbsR source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb@RqN source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Liphmahu.PDB source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n,C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715402Ch	0_2_07153E12
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715402Ch	0_2_07153E20
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 071536EFh	0_2_07153690
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 071536EFh	0_2_07153682
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A6EF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A505
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A3B8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A3C8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A490
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A480
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A84C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D84475h	4_2_05D84280
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D84475h	4_2_05D84270
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748402Ch	7_2_07483E12
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748402Ch	7_2_07483E20
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 074836EFh	7_2_07483682
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 074836EFh	7_2_07483690
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A505
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A3C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A3B8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49757 -> 162.254.34.31:587

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 89.40.31.232

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 162.254.34.31:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /417440cce6502c1c57308172e9826dec.mp4 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 162.254.34.31 162.254.34.31

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 162.254.34.31:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /417440cce6502c1c57308172e9826dec.mp4 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: cia.tf
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3135918315.000000000555B000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.000000000117E000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Liphmahu.exe, 00000004.00000002.2209273870.00000000060D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf
Source: Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/417440cce6502c1c57308172e9826dec.mp4HI
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI
Source: ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI=
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F008 NtResumeThread,	0_2_0715F008
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F002 NtResumeThread,	0_2_0715F002
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F138 NtResumeThread,	4_2_05D8F138
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F130 NtResumeThread,	4_2_05D8F130
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E870 NtProtectVirtualMemory,	4_2_06A2E870
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E868 NtProtectVirtualMemory,	4_2_06A2E868
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2CC88 NtProtectVirtualMemory,	7_2_06E2CC88
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F140 NtResumeThread,	7_2_06E2F140
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2CC81 NtProtectVirtualMemory,	7_2_06E2CC81
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F138 NtResumeThread,	7_2_06E2F138

Detected potential crypto function

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133CB14	0_2_0133CB14
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133F3B8	0_2_0133F3B8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133F3A8	0_2_0133F3A8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_064F0006	0_2_064F0006
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A1200	0_2_070A1200
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A22B3	0_2_070A22B3
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A22C0	0_2_070A22C0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A2840	0_2_070A2840
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071435E8	0_2_071435E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714B9C8	0_2_0714B9C8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071465AA	0_2_071465AA
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071435D8	0_2_071435D8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07142330	0_2_07142330
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07142340	0_2_07142340
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714CA38	0_2_0714CA38
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714CA48	0_2_0714CA48
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714392A	0_2_0714392A
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071559B0	0_2_071559B0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715A505	0_2_0715A505
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071563BF	0_2_071563BF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071563D0	0_2_071563D0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071559A0	0_2_071559A0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07150040	0_2_07150040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F898	0_2_0715F898
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F888	0_2_0715F888
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07173798	0_2_07173798
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071767DB	0_2_071767DB
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07174E48	0_2_07174E48
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717BBD8	0_2_0717BBD8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717BBC8	0_2_0717BBC8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717A9D8	0_2_0717A9D8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717A9E8	0_2_0717A9E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717001D	0_2_0717001D
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07170040	0_2_07170040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07430040	0_2_07430040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07430367	0_2_07430367
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07431248	0_2_07431248
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B2F30	0_2_074B2F30
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BB0F0	0_2_074BB0F0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B2F20	0_2_074B2F20
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BE218	0_2_074BE218
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BE1B9	0_2_074BE1B9
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BB0E0	0_2_074BB0E0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_075A0040	0_2_075A0040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_075A0013	0_2_075A0013
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091CB14	4_2_0091CB14
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091F3B8	4_2_0091F3B8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091F3A8	4_2_0091F3A8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43DC8	4_2_05D43DC8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4BF56	4_2_05D4BF56
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43307	4_2_05D43307
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43DB8	4_2_05D43DB8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43442	4_2_05D43442
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4CF58	4_2_05D4CF58
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4CF48	4_2_05D4CF48
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4338C	4_2_05D4338C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D42B48	4_2_05D42B48
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D42B38	4_2_05D42B38
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4333B	4_2_05D4333B
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D44291	4_2_05D44291
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43278	4_2_05D43278
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43268	4_2_05D43268
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D603C8	4_2_05D603C8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D615E0	4_2_05D615E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D606FF	4_2_05D606FF
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A490	4_2_05D8A490
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D806B8	4_2_05D806B8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D859E0	4_2_05D859E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D89820	4_2_05D89820
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A480	4_2_05D8A480
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D846E8	4_2_05D846E8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FE62	4_2_05D8FE62
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F9D0	4_2_05D8F9D0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F9E0	4_2_05D8F9E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A84C	4_2_05D8A84C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D89811	4_2_05D89811
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8BB4F	4_2_05D8BB4F
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FB6D	4_2_05D8FB6D
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FAB3	4_2_05D8FAB3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FAB6	4_2_05D8FAB6
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87A54	4_2_05D87A54
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FA54	4_2_05D8FA54
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87A60	4_2_05D87A60
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067CF160	4_2_067CF160
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C0DB0	4_2_067C0DB0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C0DA3	4_2_067C0DA3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C1233	4_2_067C1233
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C12D8	4_2_067C12D8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C1328	4_2_067C1328
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0680B640	4_2_0680B640
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06805B78	4_2_06805B78
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_068048A8	4_2_068048A8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_068074EB	4_2_068074EB
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06801223	4_2_06801223
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0680B62F	4_2_0680B62F
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06801230	4_2_06801230
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06804898	4_2_06804898
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06809819	4_2_06809819
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2B460	4_2_06A2B460
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26C40	4_2_06A26C40
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A24988	4_2_06A24988
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26C3A	4_2_06A26C3A
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2B450	4_2_06A2B450
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E5F0	4_2_06A2E5F0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26DC3	4_2_06A26DC3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2D910	4_2_06A2D910
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C7E750	4_2_06C7E750
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C60040	4_2_06C60040
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C60007	4_2_06C60007
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129E508	5_2_0129E508
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129D990	5_2_0129D990
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129AA12	5_2_0129AA12
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01294A98	5_2_01294A98
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01293E80	5_2_01293E80
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_012941C8	5_2_012941C8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01294A8E	5_2_01294A8E
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01293E74	5_2_01293E74
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B36668	5_2_06B36668
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B35640	5_2_06B35640
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B37DF0	5_2_06B37DF0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3B2A3	5_2_06B3B2A3
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3C200	5_2_06B3C200
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B33100	5_2_06B33100
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B37710	5_2_06B37710
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3E418	5_2_06B3E418
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B32409	5_2_06B32409
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B35D5F	5_2_06B35D5F
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B30040	5_2_06B30040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B30006	5_2_06B30006
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DCB14	7_2_017DCB14
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DF3B8	7_2_017DF3B8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DF3A8	7_2_017DF3A8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E298B0	7_2_06E298B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2C9D8	7_2_06E2C9D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2C978	7_2_06E2C978
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E298A0	7_2_06E298A0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F9C1	7_2_06E2F9C1
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F9D0	7_2_06E2F9D0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F09F8	7_2_073F09F8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F1EB8	7_2_073F1EB8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F1EAA	7_2_073F1EAA
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F2438	7_2_073F2438
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074859B0	7_2_074859B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0748A505	7_2_0748A505
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074863D0	7_2_074863D0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074863BF	7_2_074863BF
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0748EA09	7_2_0748EA09
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074859A0	7_2_074859A0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07480040	7_2_07480040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074935E8	7_2_074935E8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749B9C8	7_2_0749B9C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074935D8	7_2_074935D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074965AA	7_2_074965AA
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07492340	7_2_07492340
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07492330	7_2_07492330
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749CA48	7_2_0749CA48
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749CA38	7_2_0749CA38
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749392A	7_2_0749392A
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C67DB	7_2_074C67DB
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C3798	7_2_074C3798
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C4E38	7_2_074C4E38
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CBBC8	7_2_074CBBC8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CBBD8	7_2_074CBBD8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CA9D8	7_2_074CA9D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CA9E8	7_2_074CA9E8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C0040	7_2_074C0040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C0006	7_2_074C0006
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07700040	7_2_07700040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07700367	7_2_07700367
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07701248	7_2_07701248
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_078F0007	7_2_078F0007
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_078F0040	7_2_078F0040
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 8_2_01381680	8_2_01381680
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B41C8	12_2_013B41C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013BE280	12_2_013BE280
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013BAA18	12_2_013BAA18
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B4A98	12_2_013B4A98
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B3E80	12_2_013B3E80
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B66668	12_2_06B66668
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B65640	12_2_06B65640
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B62418	12_2_06B62418
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B67DF0	12_2_06B67DF0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6B2B0	12_2_06B6B2B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6C200	12_2_06B6C200
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B67710	12_2_06B67710
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6E418	12_2_06B6E418
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B65D70	12_2_06B65D70
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B60040	12_2_06B60040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B60006	12_2_06B60006

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932

PE / OLE file has an invalid certificate

Source: Ref#2056119.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: Ref#2056119.exe, 00000000.00000002.2030087377.000000000108E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2059133094.0000000007680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLiphk vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2053393935.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameZtyrhxmwj.dll" vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLiphmahu.exeF vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000005.00000002.3110409320.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ref#2056119.exe

Uses 32bit PE files

Source: Ref#2056119.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Ref#2056119.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Liphmahu.exe.0.dr, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ishon.exe.0.dr, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ref#2056119.exe.40d0d40.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@13/4@2/3

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ishon.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnzzEC3SI3U6Qmbo
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:64:WilError_03

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"

Source: Ref#2056119.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ref#2056119.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Ref#2056119.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ref#2056119.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Ref#2056119.exe

File read: C:\Users\user\Desktop\Ref#2056119.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"

Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Ref#2056119.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ref#2056119.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbsR source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb@RqN source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Liphmahu.PDB source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n,C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.Liphmahu.exe.6890000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.3630ad0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.71f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2215628448.0000000006890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055273808.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133DA98 pushad ; ret	0_2_0133DA99
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1913 push eax; ret	0_2_070F191D
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1C88 push eax; retf	0_2_070F1E11
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1C83 push eax; retf	0_2_070F1E11
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714E65A push eax; retf	0_2_0714E661
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714E9DC push esp; iretd	0_2_0714E9F1
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071584DF push edi; iretd	0_2_071584FF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07153A12 push BA051AC2h; retf	0_2_07153A17
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717C929 push BA051AC2h; ret	0_2_0717C92E
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071781B9 pushad ; iretd	0_2_071781C5
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0743552D push FFFFFF8Bh; iretd	0_2_0743552F
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07435405 push FFFFFF8Bh; iretd	0_2_07435407
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074353EC push FFFFFF8Bh; ret	0_2_074353F0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074353B1 push FFFFFF8Bh; ret	0_2_074353B6
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07434AFA push 8BF08B6Ah; retf	0_2_07434AFF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0743E1E3 push 8BD08B6Bh; retf	0_2_0743E1E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B53A0 push eax; ret	0_2_074B53A1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091E998 pushad ; retf	4_2_0091E9B6
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091DA98 pushad ; ret	4_2_0091DA99
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D25191 pushad ; ret	4_2_05D251F1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D25198 pushad ; ret	4_2_05D251F1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D21913 push eax; ret	4_2_05D2191D
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4EDBA pushfd ; iretd	4_2_05D4EDC1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83DDD push BA04A3C2h; retf	4_2_05D83DE2
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F571 push BA04A3C2h; retn 0001h	4_2_05D8F576
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D884BA push 3005D7CBh; iretd	4_2_05D884C5
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87690 pushfd ; ret	4_2_05D87691
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83EA3 push BA04A3C2h; retf	4_2_05D83EA8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F679 push BA04A3C2h; retn 0001h	4_2_05D8F67E
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83BB6 push BA04A3C2h; ret	4_2_05D83BBB
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C45B3 push ss; iretd	4_2_067C45B9

Drops PE files

Source: C:\Users\user\Desktop\Ref#2056119.exe	File created: C:\Users\user\AppData\Roaming\ishon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Ref#2056119.exe	File created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 44A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 4DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 4C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 13B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 7374	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 1923	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Window / User API: threadDelayed 3372	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Window / User API: threadDelayed 1650	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 1358	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 4720	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 2196
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 4986
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 5721
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 1653

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7560	Thread sleep count: 7374 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7560	Thread sleep count: 1923 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98179s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96901s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95194s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -94956s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -94830s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99854s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7908	Thread sleep count: 3372 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7908	Thread sleep count: 1650 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99330s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99055s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98534s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97294s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96946s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96824s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96573s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96090s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8100	Thread sleep count: 1358 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99520s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99292s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8100	Thread sleep count: 4720 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99148s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97193s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97074s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2852	Thread sleep count: 2196 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99886s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2676	Thread sleep count: 4986 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98891s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98479s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98341s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98075s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97969s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97422s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97094s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -95967s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -95789s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2640	Thread sleep count: 5721 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2640	Thread sleep count: 1653 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99407s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98813s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98688s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98344s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97840s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97715s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97493s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97266s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97141s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97016s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96907s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96782s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96657s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96313s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96188s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95828s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95719s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\ishon.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ishon.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99655	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98670	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98543	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98179	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97998	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97575	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96901	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96671	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96230	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95999	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95888	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95765	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95546	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95435	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95324	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95194	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 94956	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 94830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99854	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99330	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99055	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98534	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98157	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97294	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96946	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96824	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96573	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96356	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96090	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99828	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99520	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99292	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99148	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97871	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97762	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97193	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97074	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96464	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96357	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96015	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95797	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95687	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95468	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95359	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99886
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98891
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98641
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98479
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98341
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98075
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97969
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97531
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97422
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97094
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96656
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96546
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96328
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96219
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96078
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95967
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95789
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99407
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98813
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98688
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98344
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97840
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97715
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97493
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97266
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97141
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97016
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96907
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96782
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96657
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96438
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96313
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96188
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95938
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95828
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95719
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: Ref#2056119.exe, 00000000.00000002.2053393935.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: iNHGFs8Tfb
Source: ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Liphmahu.exe, 00000004.00000002.2191181764.000000000083B000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.0000000001491000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Ref#2056119.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory written: C:\Users\user\Desktop\Ref#2056119.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory written: C:\Users\user\AppData\Local\Temp\Liphmahu.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory written: C:\Users\user\AppData\Roaming\ishon.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Users\user\Desktop\Ref#2056119.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Liphmahu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Users\user\Desktop\Ref#2056119.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Liphmahu.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 6104, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\ishon.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Ref#2056119.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 6104, type: MEMORYSTR

Windows Analysis Report
Ref#2056119.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1562370
Product:	CloudBasic
Start time:	14:46:09
Start date:	25.11.2024
Sample:	Ref#2056119.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2c4db8b396dff48ba1e6ae44bd9aae08
SHA1:	79319657ecfb6f4f7b13ab1e99df278a53b7d101
SHA256:	be5ca82d327d53fc7eb8719289394cf37cc1f45d39429b8e527d600193b706e0
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Liphmahu.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	225F257617CD3A58DB6D4CCC447F48E9	7C77E10D7CB01BC37B1F3CB21D7BA34BECF85857	987697D24303E9BF9507F4F5835664BF32F61B4920A52D08B51F1E35951E1D8C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs	ASCII text, with no line terminators	2A3A1666420EFB8E93698256013F3AC4	404E55E1BC84328C413BDDD524D9DA1746CE9D55	F3ECF1E59D22B070AB484D1447266710795722DE52CDF0556D092CB7B3E6A8D4
C:\Users\user\AppData\Roaming\ishon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2C4DB8B396DFF48BA1E6AE44BD9AAE08	79319657ECFB6F4F7B13AB1E99DF278A53B7D101	BE5CA82D327D53FC7EB8719289394CF37CC1F45D39429B8E527D600193B706E0
C:\Users\user\AppData\Roaming\ishon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report Ref#2056119.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Ref#2056119.exe

Malware Threat Intel
Provided by