Windows Analysis Report
LAQfpnQvPQ.exe

Overview

General Information

Sample name: LAQfpnQvPQ.exe
renamed because original name is a hash value
Original sample name: b5d25a995424fd4d4fe5303ca4e90ceeb2794989f58213bda32b29c8716c5cfb.exe
Analysis ID: 1562379
MD5: 08565a4a256fb8f4f3497c695991829f
SHA1: b2c4d59213108fe33197e3685b1602f56047f62c
SHA256: b5d25a995424fd4d4fe5303ca4e90ceeb2794989f58213bda32b29c8716c5cfb
Tags: cia-tfexeuser-JAMESWT_MHT
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendpcamill@juguly.shop", "Password": "rEBS93U9rKLG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ishon.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: LAQfpnQvPQ.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ishon.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LAQfpnQvPQ.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: LAQfpnQvPQ.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49716 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.5:49739 -> 172.67.177.134:443 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49792 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.1.182:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.1.182:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: LAQfpnQvPQ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: LAQfpnQvPQ.exe, 00000000.00000002.2241775942.0000000006A10000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: LAQfpnQvPQ.exe, 00000000.00000002.2241775942.0000000006A10000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 069FA49Ah 0_2_069FA430
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 069FA49Ah 0_2_069FA420
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 069FA49Ah 0_2_069FA5DE
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 069F443Dh 0_2_069F4270
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 069F443Dh 0_2_069F4260
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 069F3BA7h 0_2_069F3B38
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 069F3BA7h 0_2_069F3B48
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 02D2F206h 3_2_02D2F017
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 02D2FB90h 3_2_02D2F017
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02D2E538
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02D2EB6B
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02D2ED4C
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE8945h 3_2_05AE8608
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE8459h 3_2_05AE81B0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE5441h 3_2_05AE5198
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE7BA9h 3_2_05AE7900
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE0FF1h 3_2_05AE0D48
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE8001h 3_2_05AE7D58
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE7751h 3_2_05AE74A8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE0741h 3_2_05AE0498
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE0B99h 3_2_05AE08F0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE02E9h 3_2_05AE0040
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE72FAh 3_2_05AE7050
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_05AE33A8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_05AE33B8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE6E79h 3_2_05AE6BD0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE65C9h 3_2_05AE6320
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE6A21h 3_2_05AE6778
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_05AE36CE
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE6171h 3_2_05AE5EC8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE58C1h 3_2_05AE5618
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 4x nop then jmp 05AE5D19h 3_2_05AE5A70
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 0762A72Ah 5_2_0762A6C0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 0762A72Ah 5_2_0762A6B0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 076242CDh 5_2_07624100
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 07623A37h 5_2_076239C8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 07623A37h 5_2_076239D8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 0762A72Ah 5_2_0762A86E
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 076242CDh 5_2_076240F0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 0155F1F6h 7_2_0155F007
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 0155FB80h 7_2_0155F007
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_0155E528
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB8945h 7_2_06BB8608
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB65C9h 7_2_06BB6320
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB6171h 7_2_06BB5EC8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB58C1h 7_2_06BB5618
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB6A21h 7_2_06BB6778
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB7751h 7_2_06BB74A8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB0741h 7_2_06BB0498
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB8001h 7_2_06BB7D58
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB0FF1h 7_2_06BB0D48
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB5D19h 7_2_06BB5A70
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_06BB33B8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_06BB33A8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB6E79h 7_2_06BB6BD0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB0B99h 7_2_06BB08F0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB72FAh 7_2_06BB7050
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB02E9h 7_2_06BB0040
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB8459h 7_2_06BB81B0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB5441h 7_2_06BB5198
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 4x nop then jmp 06BB7BA9h 7_2_06BB7900

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /12e2f2f2315804d08baebc78b9269ad1.mp3 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /12e2f2f2315804d08baebc78b9269ad1.mp3 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49727 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49789 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49821 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49814 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49802 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49732 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49724 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49739 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49798 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49824 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49851 -> 172.67.177.134:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49716 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.5:49739 -> 172.67.177.134:443 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49792 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /12e2f2f2315804d08baebc78b9269ad1.mp3 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /12e2f2f2315804d08baebc78b9269ad1.mp3 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: cia.tf
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.0000000001685000.00000004.00000020.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3313003733.0000000001277000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000144D000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000143F000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3314491068.00000000012F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000307C000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003089000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003097000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003102000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000310F000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000313C000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000314B000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003054000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000307C000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003089000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003097000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003028000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000311D000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003102000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000310F000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000313C000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003097000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000314B000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003054000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003048000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3312271782.000000000041B000.00000040.00000400.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.0000000001685000.00000004.00000020.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3313003733.0000000001277000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000144D000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3314491068.00000000012F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.0000000001685000.00000004.00000020.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3323711601.00000000061E2000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2518739694.0000000006BD2000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3324129689.0000000006720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ishon.exe, 00000007.00000002.3324129689.0000000006720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.0000000001685000.00000004.00000020.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3313003733.0000000001277000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000144D000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000143F000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3314491068.00000000012F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.0000000001685000.00000004.00000020.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3313003733.0000000001277000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000144D000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3314491068.00000000012F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.0000000001685000.00000004.00000020.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3313003733.0000000001277000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000144D000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.000000000143F000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3314491068.00000000012F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000307C000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003002000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003089000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003097000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003102000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000310F000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000313C000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000314B000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000306C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: LAQfpnQvPQ.exe, 00000000.00000002.2219471547.0000000003161000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2504335246.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: LAQfpnQvPQ.exe, 00000000.00000002.2219471547.0000000003161000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2504335246.00000000031C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cia.tf
Source: ishon.exe, 00000005.00000002.2504335246.00000000031C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cia.tf/12e2f2f2315804d08baebc78b9269ad1.mp3HI.
Source: LAQfpnQvPQ.exe, 00000000.00000002.2219471547.0000000003161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cia.tf/12e2f2f2315804d08baebc78b9269ad1.mp3HIC
Source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2515782521.000000000446B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000307C000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003089000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003097000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003028000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003102000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000310F000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000313C000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003097000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000314B000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003054000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3312271782.000000000041B000.00000040.00000400.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003054000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ishon.exe, 00000007.00000002.3315771924.0000000003054000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000307C000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003089000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003097000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.0000000003028000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003102000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000310F000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000313C000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.0000000003097000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000314B000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000030F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: LAQfpnQvPQ.exe, ishon.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2219471547.000000000320E000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2504335246.000000000326E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 104.21.1.182:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.1.182:443 -> 192.168.2.5:49746 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3312271782.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: LAQfpnQvPQ.exe PID: 6364, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FEF98 NtResumeThread, 0_2_069FEF98
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FEF90 NtResumeThread, 0_2_069FEF90
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077FE8B8 NtProtectVirtualMemory, 0_2_077FE8B8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077FE8B0 NtProtectVirtualMemory, 0_2_077FE8B0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769CF98 NtProtectVirtualMemory, 5_2_0769CF98
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769F430 NtResumeThread, 5_2_0769F430
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769CF91 NtProtectVirtualMemory, 5_2_0769CF91
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769F428 NtResumeThread, 5_2_0769F428
Detected potential crypto function
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_017ECB14 0_2_017ECB14
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_017EF3B8 0_2_017EF3B8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_017EF3A8 0_2_017EF3A8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F06B8 0_2_069F06B8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FA430 0_2_069FA430
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F5940 0_2_069F5940
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FA420 0_2_069FA420
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FA5DE 0_2_069FA5DE
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F7A28 0_2_069F7A28
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F7A23 0_2_069F7A23
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FF858 0_2_069FF858
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FF868 0_2_069FF868
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0759EF18 0_2_0759EF18
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_07590DD8 0_2_07590DD8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_07590DCA 0_2_07590DCA
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0759135E 0_2_0759135E
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_07591308 0_2_07591308
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075D4A70 0_2_075D4A70
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075D76C3 0_2_075D76C3
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075D5D50 0_2_075D5D50
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075DC9F8 0_2_075DC9F8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075DC9EA 0_2_075DC9EA
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075D10C8 0_2_075D10C8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075D10B8 0_2_075D10B8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0762C5C0 0_2_0762C5C0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_076244E8 0_2_076244E8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_07623A20 0_2_07623A20
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_076249F1 0_2_076249F1
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0762D620 0_2_0762D620
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0762D610 0_2_0762D610
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0762C5B1 0_2_0762C5B1
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_07623A10 0_2_07623A10
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_076232E8 0_2_076232E8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_076232D8 0_2_076232D8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077503C9 0_2_077503C9
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077506FF 0_2_077506FF
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077515E0 0_2_077515E0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077FB508 0_2_077FB508
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077FC350 0_2_077FC350
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077F4978 0_2_077F4978
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077F3940 0_2_077F3940
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077FB4F8 0_2_077FB4F8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077F4969 0_2_077F4969
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077F3930 0_2_077F3930
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077FD9B8 0_2_077FD9B8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077FD9A7 0_2_077FD9A7
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077F30D0 0_2_077F30D0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077F30C3 0_2_077F30C3
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_07AA0036 0_2_07AA0036
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_07AA0040 0_2_07AA0040
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2B338 3_2_02D2B338
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2F017 3_2_02D2F017
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2C1A0 3_2_02D2C1A0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D26120 3_2_02D26120
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D246D9 3_2_02D246D9
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2B7E2 3_2_02D2B7E2
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D26748 3_2_02D26748
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2C762 3_2_02D2C762
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2C480 3_2_02D2C480
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2CA42 3_2_02D2CA42
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D29868 3_2_02D29868
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2BEC0 3_2_02D2BEC0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D23572 3_2_02D23572
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2B502 3_2_02D2B502
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2E538 3_2_02D2E538
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D2E527 3_2_02D2E527
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEC9D8 3_2_05AEC9D8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEBD38 3_2_05AEBD38
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEB0A0 3_2_05AEB0A0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AED028 3_2_05AED028
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEA408 3_2_05AEA408
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEC388 3_2_05AEC388
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE8B58 3_2_05AE8B58
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEB6E8 3_2_05AEB6E8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE8608 3_2_05AE8608
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AED670 3_2_05AED670
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEAA58 3_2_05AEAA58
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE11A0 3_2_05AE11A0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE81A0 3_2_05AE81A0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE81B0 3_2_05AE81B0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE518A 3_2_05AE518A
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE5198 3_2_05AE5198
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE1191 3_2_05AE1191
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE85FC 3_2_05AE85FC
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEC9C8 3_2_05AEC9C8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEBD2B 3_2_05AEBD2B
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE0D39 3_2_05AE0D39
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE7900 3_2_05AE7900
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE0D48 3_2_05AE0D48
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE7D48 3_2_05AE7D48
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE7D58 3_2_05AE7D58
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE74A8 3_2_05AE74A8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE28B0 3_2_05AE28B0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE0488 3_2_05AE0488
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE0498 3_2_05AE0498
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE7497 3_2_05AE7497
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEB090 3_2_05AEB090
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE08E0 3_2_05AE08E0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE08F0 3_2_05AE08F0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE78F0 3_2_05AE78F0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE4430 3_2_05AE4430
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE2809 3_2_05AE2809
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE0006 3_2_05AE0006
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE2807 3_2_05AE2807
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AED018 3_2_05AED018
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE0040 3_2_05AE0040
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE7040 3_2_05AE7040
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE7050 3_2_05AE7050
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE33A8 3_2_05AE33A8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE33B8 3_2_05AE33B8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEA3F8 3_2_05AEA3F8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE6BC1 3_2_05AE6BC1
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE6BD0 3_2_05AE6BD0
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE6320 3_2_05AE6320
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE3730 3_2_05AE3730
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE6310 3_2_05AE6310
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE676A 3_2_05AE676A
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE6778 3_2_05AE6778
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEC378 3_2_05AEC378
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE5EB8 3_2_05AE5EB8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE5EC8 3_2_05AE5EC8
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEB6D9 3_2_05AEB6D9
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE5609 3_2_05AE5609
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE5618 3_2_05AE5618
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AED662 3_2_05AED662
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE5A60 3_2_05AE5A60
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE5A70 3_2_05AE5A70
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AEAA48 3_2_05AEAA48
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0134CB14 5_2_0134CB14
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0134F3B8 5_2_0134F3B8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0134F3A8 5_2_0134F3A8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07430DCA 5_2_07430DCA
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07430DD8 5_2_07430DD8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07431358 5_2_07431358
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07497BDB 5_2_07497BDB
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07494B88 5_2_07494B88
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07496238 5_2_07496238
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07490040 5_2_07490040
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0749CF10 5_2_0749CF10
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074911D0 5_2_074911D0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074911E0 5_2_074911E0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074C3618 5_2_074C3618
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074C45F5 5_2_074C45F5
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074CC5B8 5_2_074CC5B8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074C40E0 5_2_074C40E0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074C3608 5_2_074C3608
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074CD608 5_2_074CD608
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074CD618 5_2_074CD618
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074C2ED0 5_2_074C2ED0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074C2EE0 5_2_074C2EE0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074CC5AD 5_2_074CC5AD
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_075F03C9 5_2_075F03C9
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_075F06FF 5_2_075F06FF
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_075F15E0 5_2_075F15E0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0762A6C0 5_2_0762A6C0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07625BD0 5_2_07625BD0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0762A6B0 5_2_0762A6B0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07620548 5_2_07620548
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07627CB2 5_2_07627CB2
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07627CB8 5_2_07627CB8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0762E1E8 5_2_0762E1E8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0762E1D9 5_2_0762E1D9
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0762A86E 5_2_0762A86E
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07699BE8 5_2_07699BE8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07693BD0 5_2_07693BD0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769AA30 5_2_0769AA30
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07693010 5_2_07693010
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07699BD8 5_2_07699BD8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07693000 5_2_07693000
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769C088 5_2_0769C088
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769C098 5_2_0769C098
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07940036 5_2_07940036
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07940040 5_2_07940040
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_01556108 7_2_01556108
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155C190 7_2_0155C190
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155F007 7_2_0155F007
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155B328 7_2_0155B328
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155C470 7_2_0155C470
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155C752 7_2_0155C752
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_01559858 7_2_01559858
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_01556880 7_2_01556880
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155BBD2 7_2_0155BBD2
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155CA32 7_2_0155CA32
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_01554AD9 7_2_01554AD9
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155BEB0 7_2_0155BEB0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_01553572 7_2_01553572
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155E517 7_2_0155E517
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155E528 7_2_0155E528
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_0155B4F2 7_2_0155B4F2
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBB6E8 7_2_06BBB6E8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB8608 7_2_06BB8608
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBD670 7_2_06BBD670
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBA408 7_2_06BBA408
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBBD38 7_2_06BBBD38
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBAA58 7_2_06BBAA58
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBC388 7_2_06BBC388
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB6320 7_2_06BB6320
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB8B58 7_2_06BB8B58
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBB0A0 7_2_06BBB0A0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBD028 7_2_06BBD028
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB11A0 7_2_06BB11A0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBC9D8 7_2_06BBC9D8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB5EB8 7_2_06BB5EB8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBB6D9 7_2_06BBB6D9
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB5EC8 7_2_06BB5EC8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB5618 7_2_06BB5618
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB560A 7_2_06BB560A
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBD662 7_2_06BBD662
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB3730 7_2_06BB3730
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB6778 7_2_06BB6778
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB676A 7_2_06BB676A
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB74A8 7_2_06BB74A8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB0498 7_2_06BB0498
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB7497 7_2_06BB7497
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB0488 7_2_06BB0488
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB4430 7_2_06BB4430
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB85FF 7_2_06BB85FF
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB0D39 7_2_06BB0D39
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBBD28 7_2_06BBBD28
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB7D58 7_2_06BB7D58
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB0D48 7_2_06BB0D48
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB7D48 7_2_06BB7D48
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB5A70 7_2_06BB5A70
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB5A60 7_2_06BB5A60
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBAA48 7_2_06BBAA48
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB33B8 7_2_06BB33B8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB33A8 7_2_06BB33A8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBA3F8 7_2_06BBA3F8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB6BD0 7_2_06BB6BD0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB6BC1 7_2_06BB6BC1
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB6312 7_2_06BB6312
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBC378 7_2_06BBC378
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB28B0 7_2_06BB28B0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB08F0 7_2_06BB08F0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB78F0 7_2_06BB78F0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB08E0 7_2_06BB08E0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBD018 7_2_06BBD018
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB2809 7_2_06BB2809
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB2807 7_2_06BB2807
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB0006 7_2_06BB0006
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB7050 7_2_06BB7050
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB0040 7_2_06BB0040
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB7047 7_2_06BB7047
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB81B0 7_2_06BB81B0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB81A0 7_2_06BB81A0
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB5198 7_2_06BB5198
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB518A 7_2_06BB518A
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BBC9C8 7_2_06BBC9C8
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 7_2_06BB7900 7_2_06BB7900
PE / OLE file has an invalid certificate
Source: LAQfpnQvPQ.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: LAQfpnQvPQ.exe, 00000000.00000002.2219471547.00000000031B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2219471547.00000000036B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2241775942.0000000006A10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2243605676.0000000007450000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameYxafaye.dll" vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000000.2056233227.0000000000E7A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRef#10784512.exeF vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYxafaye.dll" vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.00000000015AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000003.00000002.3312271782.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe, 00000003.00000002.3312735643.0000000000F67000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs LAQfpnQvPQ.exe
Source: LAQfpnQvPQ.exe Binary or memory string: OriginalFilenameRef#10784512.exeF vs LAQfpnQvPQ.exe
Uses 32bit PE files
Source: LAQfpnQvPQ.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3312271782.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: LAQfpnQvPQ.exe PID: 6364, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: LAQfpnQvPQ.exe, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: ishon.exe.0.dr, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@3/3
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Mutant created: NULL
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"
Source: LAQfpnQvPQ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LAQfpnQvPQ.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000315C000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3319653378.0000000003FBD000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000316B000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.000000000317A000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000003.00000002.3315124818.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3321113680.000000000401C000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3315771924.000000000320D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: LAQfpnQvPQ.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File read: C:\Users\user\Desktop\LAQfpnQvPQ.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LAQfpnQvPQ.exe "C:\Users\user\Desktop\LAQfpnQvPQ.exe"
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process created: C:\Users\user\Desktop\LAQfpnQvPQ.exe "C:\Users\user\Desktop\LAQfpnQvPQ.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\AppData\Roaming\ishon.exe Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process created: C:\Users\user\Desktop\LAQfpnQvPQ.exe "C:\Users\user\Desktop\LAQfpnQvPQ.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe" Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: LAQfpnQvPQ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LAQfpnQvPQ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: LAQfpnQvPQ.exe, 00000000.00000002.2241775942.0000000006A10000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: LAQfpnQvPQ.exe, 00000000.00000002.2241775942.0000000006A10000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: LAQfpnQvPQ.exe, 00000000.00000002.2244898671.0000000007700000.00000004.08000000.00040000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, LAQfpnQvPQ.exe, 00000000.00000002.2236686553.00000000043C5000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.LAQfpnQvPQ.exe.6a10000.4.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.LAQfpnQvPQ.exe.7700000.7.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.LAQfpnQvPQ.exe.7700000.7.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.LAQfpnQvPQ.exe.7700000.7.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.LAQfpnQvPQ.exe.7700000.7.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.LAQfpnQvPQ.exe.7700000.7.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.LAQfpnQvPQ.exe.43c5c20.3.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.LAQfpnQvPQ.exe.43c5c20.3.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.LAQfpnQvPQ.exe.43c5c20.3.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.LAQfpnQvPQ.exe.43c5c20.3.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.LAQfpnQvPQ.exe.43c5c20.3.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 5.2.ishon.exe.43511c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.76a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.42f11c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2515782521.0000000004351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2244743417.00000000076A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2219471547.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2504335246.000000000326E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_017EDA98 pushad ; ret 0_2_017EDA99
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F7658 pushfd ; ret 0_2_069F7659
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F3E66 push BA056CC2h; retf 0_2_069F3E6B
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FB74D push es; iretd 0_2_069FB75C
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F8510 pushfd ; retf 0_2_069F8519
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069F823E push es; iretd 0_2_069F8240
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_069FCBD6 push es; iretd 0_2_069FCBDC
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075F455B push eax; ret 0_2_075F4949
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075F4560 push eax; ret 0_2_075F4949
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075F3C11 push esp; retf 0_2_075F3C8D
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_075F3C30 push esp; retf 0_2_075F3C8D
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0762F078 push 0C077DCBh; retf 0_2_0762F07D
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_077557A5 push FFFFFF8Bh; iretd 0_2_077557A7
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 0_2_0775578B push FFFFFF8Bh; ret 0_2_07755790
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_02D29720 push esp; ret 3_2_02D29721
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Code function: 3_2_05AE3181 push ebx; retf 3_2_05AE3182
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0134DA98 pushad ; ret 5_2_0134DA99
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07481913 push eax; ret 5_2_0748191D
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07483D33 pushfd ; retf 5_2_07483D4D
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07483D9D push C006C4F1h; retf 5_2_07483DAD
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07483C73 push esp; retf 5_2_07483C8D
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_074CF068 push 0C0767CBh; retf 5_2_074CF06D
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_075F578D push FFFFFF8Bh; ret 5_2_075F5790
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_075F57A4 push FFFFFF8Bh; iretd 5_2_075F57A7
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_075F2203 push cs; iretd 5_2_075F2204
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_076287A0 pushfd ; retf 5_2_076287A9
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_07623CF6 push BA0556C2h; retf 5_2_07623CFB
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_076278E8 pushfd ; ret 5_2_076278E9
Source: C:\Users\user\AppData\Roaming\ishon.exe Code function: 5_2_0769C76A push ss; ret 5_2_0769C771
Drops PE files
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File created: C:\Users\user\AppData\Roaming\ishon.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: LAQfpnQvPQ.exe, 00000000.00000002.2219471547.000000000320E000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2504335246.000000000326E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory allocated: 17E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory allocated: 3160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory allocated: 5160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory allocated: 2CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory allocated: 2F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory allocated: 2E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Memory allocated: 1340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Memory allocated: 31C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Memory allocated: 3000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Memory allocated: 1550000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Memory allocated: 2DA0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599669 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599526 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599179 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599072 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598624 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597749 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597153 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596779 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596637 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596093 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595875 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595765 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595218 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594890 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594781 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594672 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594561 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594343 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594230 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594089 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 593967 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 593859 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599702 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599593 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599484 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599373 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599265 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599155 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599047 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598937 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598828 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598718 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598499 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598390 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598171 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598062 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597843 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597623 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597405 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597253 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596874 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595342 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595124 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595002 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594328 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Window / User API: threadDelayed 2068 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Window / User API: threadDelayed 6082 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Window / User API: threadDelayed 2211 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Window / User API: threadDelayed 7621 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Window / User API: threadDelayed 3282 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Window / User API: threadDelayed 3123 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Window / User API: threadDelayed 4438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Window / User API: threadDelayed 5404 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 1816 Thread sleep count: 2068 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 1816 Thread sleep count: 6082 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99317s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -99078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98623s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98175s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -98042s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97827s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97605s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97280s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -97047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -96047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -95937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -95828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 2412 Thread sleep time: -95718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 6020 Thread sleep count: 2211 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 6020 Thread sleep count: 7621 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599669s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599526s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599179s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -599072s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -597153s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -596779s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -596637s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -596531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -596422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -596312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -596203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -596093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -595000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594561s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594230s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -594089s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -593967s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe TID: 4072 Thread sleep time: -593859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -19369081277395017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5744 Thread sleep count: 3282 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5136 Thread sleep count: 3123 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -99853s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -99749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -99625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -99427s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -99303s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -99137s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -99015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98905s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98467s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98357s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -98015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97796s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97468s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97140s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -97031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -96921s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -96812s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -96506s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -96375s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 1532 Thread sleep time: -96265s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -37815825351104557s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5244 Thread sleep count: 4438 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599812s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599702s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599593s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5244 Thread sleep count: 5404 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599484s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599373s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599265s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -599047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598937s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598828s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598718s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598499s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598390s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598281s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598171s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -598062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -597953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -597843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -597734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -597623s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -597515s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -597405s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -597253s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595342s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595124s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -595002s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -594875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -594765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -594656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -594547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -594437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5272 Thread sleep time: -594328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99317 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99187 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 99078 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98969 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98844 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98734 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98623 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98515 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98406 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98296 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98175 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 98042 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97937 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97827 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97718 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97605 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97500 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97390 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97280 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97172 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 97047 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96937 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96828 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96719 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96594 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96375 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96156 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 96047 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 95828 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 95718 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599669 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599526 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599179 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 599072 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598624 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597749 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 597153 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596779 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596637 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 596093 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595875 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595765 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595218 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594890 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594781 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594672 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594561 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594343 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594230 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 594089 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 593967 Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Thread delayed: delay time: 593859 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 99853 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 99749 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 99427 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 99303 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 99137 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98905 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98467 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98357 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 98015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97796 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97468 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97140 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 97031 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 96921 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 96812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 96506 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 96375 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599702 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599593 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599484 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599373 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599265 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599155 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 599047 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598937 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598828 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598718 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598499 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598390 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598171 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 598062 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597843 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597623 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597405 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 597253 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596874 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595342 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595124 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 595002 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Thread delayed: delay time: 594328 Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: LAQfpnQvPQ.exe, 00000000.00000002.2218583888.0000000001645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: ishon.exe, 00000005.00000002.2504335246.000000000326E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: ishon.exe, 00000005.00000002.2504335246.000000000326E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: LAQfpnQvPQ.exe, 00000003.00000002.3313003733.0000000001277000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000005.00000002.2502364705.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.3313643471.0000000001248000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Memory written: C:\Users\user\Desktop\LAQfpnQvPQ.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Memory written: C:\Users\user\AppData\Roaming\ishon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Process created: C:\Users\user\Desktop\LAQfpnQvPQ.exe "C:\Users\user\Desktop\LAQfpnQvPQ.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Users\user\Desktop\LAQfpnQvPQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Users\user\Desktop\LAQfpnQvPQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 7.2.ishon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3315771924.0000000003159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312271782.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3312269079.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3315124818.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3315771924.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3315124818.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 6364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 6184, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\ishon.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\LAQfpnQvPQ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312271782.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 6364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 6184, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 7.2.ishon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ishon.exe.4228890.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ishon.exe.4228890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LAQfpnQvPQ.exe.41c8bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3315771924.0000000003159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2515782521.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312271782.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3312269079.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3315124818.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2515782521.0000000004228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3315771924.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2236686553.00000000041C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3315124818.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 5144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LAQfpnQvPQ.exe PID: 6364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 2888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ishon.exe PID: 6184, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562379 Sample: LAQfpnQvPQ.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 cia.tf 2->32 34 2 other IPs or domains 2->34 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 58 9 other signatures 2->58 8 LAQfpnQvPQ.exe 15 5 2->8         started        13 wscript.exe 1 2->13         started        signatures3 56 Tries to detect the country of the analysis system (by using the IP) 30->56 process4 dnsIp5 36 cia.tf 104.21.1.182, 443, 49710, 49746 CLOUDFLARENETUS United States 8->36 24 C:\Users\user\AppData\Roaming\ishon.exe, PE32 8->24 dropped 26 C:\Users\user\...\ishon.exe:Zone.Identifier, ASCII 8->26 dropped 28 C:\Users\user\AppData\Roaming\...\ishon.vbs, ASCII 8->28 dropped 64 Drops VBS files to the startup folder 8->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->66 68 Injects a PE file into a foreign processes 8->68 15 LAQfpnQvPQ.exe 2 8->15         started        70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->70 19 ishon.exe 14 2 13->19         started        file6 signatures7 process8 dnsIp9 38 checkip.dyndns.com 193.122.130.0, 49712, 49727, 49738 ORACLE-BMC-31898US United States 15->38 40 reallyfreegeoip.org 172.67.177.134, 443, 49716, 49724 CLOUDFLARENETUS United States 15->40 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 Multi AV Scanner detection for dropped file 19->44 46 Machine Learning detection for dropped file 19->46 48 Injects a PE file into a foreign processes 19->48 21 ishon.exe 2 19->21         started        signatures10 process11 signatures12 60 Tries to steal Mail credentials (via file / registry access) 21->60 62 Tries to harvest and steal browser information (history, passwords, etc) 21->62
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.1.182
 cia.tf United States
13335 CLOUDFLARENETUS false
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
172.67.177.134
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cia.tf 104.21.1.182 true
reallyfreegeoip.org 172.67.177.134 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cia.tf/12e2f2f2315804d08baebc78b9269ad1.mp3 false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.75 false
    		high
    http://checkip.dyndns.org/ false
      		high