Windows Analysis Report
e-dekont_html.scr.exe

Overview

General Information

Sample name:	e-dekont_html.scr.exe
Analysis ID:	1426827
MD5:	abc774f48c2e514bde4ba275a4314b4a
SHA1:	141d5d859afb0340302bd4ee2ca2be9493f39804
SHA256:	fad3e7058eb2fa88ce97e62a6a243748d6736f9c4e21e4112ed61a40813588b2
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Found malware configuration

Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$ "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Virustotal: Detection: 37%			Perma Link

Multi AV Scanner detection for submitted file

Source: e-dekont_html.scr.exe	ReversingLabs: Detection: 31%
Source: e-dekont_html.scr.exe	Virustotal: Detection: 37%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: e-dekont_html.scr.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Unpacked PE file: 1.2.e-dekont_html.scr.exe.6b0000.0.unpack

Uses 32bit PE files

Source: e-dekont_html.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: e-dekont_html.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CE27B
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CE1B7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CDE28
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CDF11
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 4x nop then jmp 0273DA47h	10_2_0273D080
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 4x nop then jmp 0273DA47h	10_2_0273D169
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 4x nop then jmp 0273DA47h	10_2_0273D4D3

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49712 -> 185.174.175.187:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.174.175.187 185.174.175.187

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.8:49712 -> 185.174.175.187:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: cp8nl.hyperhost.ua

Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp8nl.hyperhost.ua
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AEA000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/7
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.co=
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: e-dekont_html.scr.exe, 00000001.00000002.1455141178.0000000002C55000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000A.00000002.1550186245.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: e-dekont_html.scr.exe, 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, hxAF.cs	.Net Code: gcE
Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, hxAF.cs	.Net Code: gcE

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.e-dekont_html.scr.exe.2bb24e0.5.raw.unpack, SQL.cs	Large array initialization: : array initializer size 13797
Source: 1.2.e-dekont_html.scr.exe.2940000.1.raw.unpack, SQL.cs	Large array initialization: : array initializer size 13797

Detected potential crypto function

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4039	1_2_00FD4039
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4710	1_2_00FD4710
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4CF4	1_2_00FD4CF4
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD5EB8	1_2_00FD5EB8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD40FE	1_2_00FD40FE
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD40CF	1_2_00FD40CF
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD418A	1_2_00FD418A
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4156	1_2_00FD4156
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD42B9	1_2_00FD42B9
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD7390	1_2_00FD7390
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD7380	1_2_00FD7380
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4700	1_2_00FD4700
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD6820	1_2_00FD6820
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD6810	1_2_00FD6810
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD5DD9	1_2_00FD5DD9
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C9798	1_2_029C9798
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C97A8	1_2_029C97A8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C8730	1_2_029C8730
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029CF560	1_2_029CF560
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C6A9F	1_2_029C6A9F
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029CDBC1	1_2_029CDBC1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C8B58	1_2_029C8B58
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C8B68	1_2_029C8B68
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C6F28	1_2_029C6F28
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029CAC48	1_2_029CAC48
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096A1138	1_2_096A1138
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096A53D8	1_2_096A53D8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096BF990	1_2_096BF990
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096BA0B7	1_2_096BA0B7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096B7A00	1_2_096B7A00
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096BB2E0	1_2_096BB2E0
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096B79F1	1_2_096B79F1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096B45BD	1_2_096B45BD
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09B0F090	1_2_09B0F090
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09B03C10	1_2_09B03C10
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2B9CF0	1_2_0B2B9CF0
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2B2420	1_2_0B2B2420
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2BE498	1_2_0B2BE498
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2B4280	1_2_0B2B4280
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2BE641	1_2_0B2BE641
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2E1928	1_2_0B2E1928
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015E4A98	9_2_015E4A98
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015ECE8E	9_2_015ECE8E
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015E3E80	9_2_015E3E80
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015E41C8	9_2_015E41C8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D2EF8	9_2_065D2EF8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D56E8	9_2_065D56E8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D3F58	9_2_065D3F58
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065DDCCD	9_2_065DDCCD
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065DBD10	9_2_065DBD10
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D8B9B	9_2_065D8B9B
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D0040	9_2_065D0040
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D3653	9_2_065D3653
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D5008	9_2_065D5008
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44039	10_2_00A44039
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44710	10_2_00A44710
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44CF4	10_2_00A44CF4
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45EB8	10_2_00A45EB8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A440FE	10_2_00A440FE
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A440CF	10_2_00A440CF
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4418A	10_2_00A4418A
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44156	10_2_00A44156
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A442B9	10_2_00A442B9
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4738F	10_2_00A4738F
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47390	10_2_00A47390
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44700	10_2_00A44700
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46820	10_2_00A46820
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4681F	10_2_00A4681F
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45DD9	10_2_00A45DD9
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02738730	10_2_02738730
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0273E7C0	10_2_0273E7C0
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0273E7B1	10_2_0273E7B1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_027397A1	10_2_027397A1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_027397A8	10_2_027397A8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02736AF1	10_2_02736AF1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02738B68	10_2_02738B68
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02738B58	10_2_02738B58
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02736F28	10_2_02736F28
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0273AC48	10_2_0273AC48
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CC67D8	10_2_04CC67D8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CC67D3	10_2_04CC67D3
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CCD138	10_2_04CCD138
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CCD133	10_2_04CCD133
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CC4864	10_2_04CC4864
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_07C6B578	10_2_07C6B578
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_07C6B56B	10_2_07C6B56B
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DD1138	10_2_08DD1138
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DD53D8	10_2_08DD53D8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DD53C7	10_2_08DD53C7
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE5038	10_2_08DE5038
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE49F8	10_2_08DE49F8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE4A00	10_2_08DE4A00
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE458F	10_2_08DE458F
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE45A0	10_2_08DE45A0
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0923F090	10_2_0923F090
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0923DCC8	10_2_0923DCC8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_09233C10	10_2_09233C10
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA5A388	10_2_0AA5A388
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA5E498	10_2_0AA5E498
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA52420	10_2_0AA52420
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA54270	10_2_0AA54270
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA5E641	10_2_0AA5E641
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE4A98	14_2_02FE4A98
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE9B28	14_2_02FE9B28
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE3E80	14_2_02FE3E80
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FECDA8	14_2_02FECDA8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE41C8	14_2_02FE41C8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_066856E8	14_2_066856E8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06682EF8	14_2_06682EF8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06683F58	14_2_06683F58
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_0668DD18	14_2_0668DD18
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06688B9B	14_2_06688B9B
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06680040	14_2_06680040
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06683668	14_2_06683668
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06685008	14_2_06685008
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06EBB308	14_2_06EBB308
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06EBB307	14_2_06EBB307
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06EB9858	14_2_06EB9858

PE / OLE file has an invalid certificate

Source: e-dekont_html.scr.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: e-dekont_html.scr.exe, 00000001.00000002.1455141178.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1466279913.000000000B590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1455141178.0000000002C55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1454886468.0000000002940000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000000.1356411107.00000000006B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLBwG.exe: vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1453634826.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1464380345.000000000B252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLBwG.exe: vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1457375395.00000000047F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000009.00000002.2608839721.0000000001159000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe	Binary or memory string: OriginalFilenameLBwG.exe: vs e-dekont_html.scr.exe

Uses 32bit PE files

Source: e-dekont_html.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: e-dekont_html.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZRbgEuSJYOgOl.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: _0020.AddAccessRule
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: _0020.AddAccessRule
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, RJD2yDAA3mME3n9aB8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, RJD2yDAA3mME3n9aB8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, RJD2yDAA3mME3n9aB8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@1/1

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Mutant created: \Sessions\1\BaseNamedObjects\HPDeNUPQPJYlUpFApIqGxGZiQ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA98F.tmp

Jump to behavior

Source: e-dekont_html.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: e-dekont_html.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e-dekont_html.scr.exe	ReversingLabs: Detection: 31%
Source: e-dekont_html.scr.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File read: C:\Users\user\Desktop\e-dekont_html.scr.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpD022.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpD022.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: e-dekont_html.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e-dekont_html.scr.exe

Static file information: File size 1053704 > 1048576

Source: e-dekont_html.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Unpacked PE file: 1.2.e-dekont_html.scr.exe.6b0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Unpacked PE file: 1.2.e-dekont_html.scr.exe.6b0000.0.unpack

.NET source code contains potential unpacker

Source: 1.2.e-dekont_html.scr.exe.2bb24e0.5.raw.unpack, SQL.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	.Net Code: BlDiTS8iJn System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	.Net Code: BlDiTS8iJn System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.2940000.1.raw.unpack, SQL.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	.Net Code: BlDiTS8iJn System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD5809 push ebp; iretd	1_2_00FD5814
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096ACF79 push esi; retf	1_2_096ACF7A
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB1B0 push ebp; retf	1_2_096AB1B7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB277 push 00000009h; iretd	1_2_096AB400
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB473 push 00000009h; iretd	1_2_096AB400
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB402 push 00000009h; iretd	1_2_096AB400
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09AF1E89 push ebx; retf	1_2_09AF1E8A
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09AF2EE5 push esp; retf	1_2_09AF2EE7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2D211D pushfd ; iretd	1_2_0B2D211E
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2D47EE push ss; ret	1_2_0B2D47EF
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47009 push ecx; ret	10_2_00A47016
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A462F0 push edx; ret	10_2_00A462FE
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45208 push ecx; ret	10_2_00A45216
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47380 push esp; ret	10_2_00A4738E
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A465B8 push ebp; ret	10_2_00A465C6
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46560 push ebp; ret	10_2_00A46567
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47610 push esp; ret	10_2_00A4761E
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46720 push eax; ret	10_2_00A4672E
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4574A push edx; ret	10_2_00A4574C
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A458B0 push edx; ret	10_2_00A458B2
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4583C push edi; ret	10_2_00A4583D
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45809 push ebp; iretd	10_2_00A45814
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45937 push edi; ret	10_2_00A45938
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45AD1 push edx; ret	10_2_00A45AD3
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45ADD push edx; ret	10_2_00A45ADF
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45B01 push ecx; ret	10_2_00A45B03
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45B42 push eax; ret	10_2_00A45B43
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45CA0 push ecx; ret	10_2_00A45CA2
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45C92 push edx; ret	10_2_00A45C94
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46CC8 push 4F340279h; ret	10_2_00A46DDE
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46DD0 push 4F340279h; ret	10_2_00A46DDE

Source: e-dekont_html.scr.exe	Static PE information: section name: .text entropy: 7.604412881501509
Source: ZRbgEuSJYOgOl.exe.1.dr	Static PE information: section name: .text entropy: 7.604412881501509

Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, BnQrcqiscApvrapbDw.cs	High entropy of concatenated method names: 'YUyBoo8tKW', 'vepBt43Ssn', 'ePiBeT8Yxb', 'KACBVgbJtX', 'PZhBOvrAWj', 'RksBmB0uZp', 'y5NBgNIowE', 'oUlB74mZ4E', 'PwJBXQsUnj', 'QrEBqaju1M'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, Eb7IhLjibfvCytpKqj.cs	High entropy of concatenated method names: 'JMKa81L83W', 'Dbvak9hc7a', 'WgqaFBvBgC', 'FMnaOakhg7', 'sHjagcQQoq', 'UKZa7b3Uiu', 'PdpaqfBQV1', 'mpcaj0uLs9', 'gWvaowBRfK', 'MbAaJE9X9h'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, DCHyiIOxDrHR7VSveM.cs	High entropy of concatenated method names: 'BNDLESXONU', 'PceLbxp4Pf', 'UORLTKoBJf', 'g3BL6qfEqa', 'kScLW476HM', 'DOKLUO9MAW', 'BypL1iEsXX', 'XKGL8Is1Ky', 'hPPLk77lIm', 'ChqLQS7syS'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, xBY3PDf6vJKGLwNm7f.cs	High entropy of concatenated method names: 't3ofpAuFfT', 'YxsfCNdPVh', 'OKufiLHcdm', 'LGWfMNN43r', 'uyQfnggVuP', 'mgPf2jNr6V', 'mQdfIWVWHm', 'ukAYNZmJgs', 'Wa7YK4bFVT', 'x3dYdE0ABI'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, PAX83uVRoxbuu33iX2.cs	High entropy of concatenated method names: 'H2my6UinGS', 'yTJyU9yh1q', 'vNIy86SV27', 'LKRykfSWsM', 'MhCyBYADqi', 'vjsyDD36U5', 'NBOyhk6G33', 'SFEyYyusCX', 'WqlyfG7Sc6', 'Rk6yH3UXZK'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, MX5baKcQduoLnQSywj2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vClHenUyGC', 'KdLHVVtiwo', 'K8aHxRkgAo', 'TaHH0a4OQL', 'dXyH32Cbv9', 'kwRHAFYBYM', 'pkcHNsDGGr'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, In7BZMgDRbJ4pDwyHe.cs	High entropy of concatenated method names: 'z642WPaFfk', 'wC721spJRE', 'uwcymcn0uO', 'jILygxnXRc', 'Vb5y7mTJNr', 'FOiyXTTL4y', 'Bojyqd7vUK', 'bs4yjdqAV3', 'JG7yPwFuCi', 'EIpyov6NJG'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, hUKFKiDa9vnGoj4IHO.cs	High entropy of concatenated method names: 'L7WpL2Sjkg', 'Vt6pcxLSTR', 'A7npv5wXu2', 'PQTpwXKO5S', 'H9SpBPEwln', 'qQApDwANAD', 'nTVUA4XV7vdQ4JYNam', 'F7lhIDklslo9w4ydvN', 'MRCpp3AII7', 'SGjpCx8mDc'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, lAKyrUYDFF0BNXKK8u.cs	High entropy of concatenated method names: 'fHsIZwds5C', 'hoiIncXLYy', 'XmLI2NTyNA', 'Uj0IL7xqsk', 'jskIcWymSE', 'xF123WpVM3', 'UIP2ALJFkm', 'W0f2N40aIC', 'f3u2KJb0y8', 'vR22dtxQFC'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, rO5HpeSsG7mJALEoTd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ntg5d1hw9Y', 'fIT5rdnW5m', 'bBs5zhoMqE', 'VMRClRceSW', 'R5JCp0KAox', 'ljTC5Bipwi', 'je9CCCJ2Wu', 'l6ZoEDvSQFxVKLWH64a'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, QxAaJdyfkcOUsLDeE2.cs	High entropy of concatenated method names: 'PKOYFLgmSh', 'FiMYOa5pSX', 'LY4Yma1R1m', 'NubYgc6FQ1', 'UUqYeCEnCw', 'jfMY7BLGkq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, al6DtAccKrL4Xnsi1t5.cs	High entropy of concatenated method names: 'ToString', 'PGmHC12sIp', 'RWNHi0Q4ir', 'rwAHZWlHlM', 'FMZHMw6qE7', 'VdjHnAamOD', 'bDkHyg8n2x', 'JI7H2QFn5p', 'lavvOHM1JQKD5EqFaFx', 'wVUVafMDsLAnLJuOCnG'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, b4uOTsniPy7tMYIvRh.cs	High entropy of concatenated method names: 'rQCTEDV4V', 'VMr6iPJum', 'TE5UD3LfQ', 'Uj112kOf4', 'EELkS6mHo', 'geBQmKGwT', 'EY8VogdrKpyBPkc882', 'yVPorZyoguIhDIBPBL', 'pVyYMhrRf', 'IV3HvtbNv'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, Yb2S65W4SnJy6QSjeK.cs	High entropy of concatenated method names: 'DwLhKLfe07', 'EJXhr5H0YV', 'yToYlCojkB', 'Y9bYplcvr1', 'G69hJX3mjk', 'XG3ht0wW82', 'CDJhRq5jGw', 'Xephe8x2WA', 'A6WhVA67oX', 'rkLhxUoNDR'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	High entropy of concatenated method names: 'Pu7CZuhybF', 'ptPCMBE3c5', 'Sn1CnpfHcy', 'bZICyuvZgW', 'wslC2RmrrC', 'phoCIOaAmD', 'RMKCLglRjC', 'r3hCc9bcqf', 'BI5CGCkbEU', 'YudCv1vP49'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, YlZ82i7i9TZ0SdYkcJ.cs	High entropy of concatenated method names: 'Dispose', 'XQ5pd6c35Z', 'G3R5OROSor', 'xmjssuJwoV', 'iSipr9qpfv', 'HeFpzpWx0e', 'ProcessDialogKey', 's9t5lCpxPc', 'E785p5F4GK', 'T0q55iLMtp'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, hwWW4hCnmpMqoYbmje.cs	High entropy of concatenated method names: 'z9pYMZULlx', 'GFeYnXwfCD', 'Md8YyRCE6Z', 'seSY2VKEbT', 'Eh2YI5MFYG', 'xUUYLAqXcu', 'hvAYcNxUnY', 'GxQYGAefmh', 'ei2YvWm535', 'C2fYwScOo5'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, Fhn3qXhQZ2H48RDDPl.cs	High entropy of concatenated method names: 'VAILMC6uWX', 'J9MLyqg2Hh', 'I7BLIEb6Jo', 'BsxIrct7Eg', 'oMqIzcUbwV', 'Iy6Lljtul3', 'hqDLpY4gWQ', 'tu6L55EE72', 'pYBLCSX5e5', 'MSmLiI4tV2'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, SijOYSc51G5UnH6HmiJ.cs	High entropy of concatenated method names: 'tCufEVSMbR', 's3vfbQTajS', 'rNafTvEZgM', 'VaTf6EBkDr', 'DJEfW8pfsF', 'SHqfU0v1uE', 'ESgf1BThVT', 'yUyf8uf1IJ', 'ACsfkhmvD2', 'tdrfQSN3eA'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, zgmIucz84CQcRCApdO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zbxfauTMc2', 'JSffBwA6Bm', 'lRmfDVGfHs', 'n1ffhmUg41', 'kAjfYbcf26', 'Q95ffPxqju', 'lSMfHKVasR'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, RJD2yDAA3mME3n9aB8.cs	High entropy of concatenated method names: 'tvyneLMUuW', 'ge7nVaXliv', 'IqhnxI3Cpg', 'EtHn0smVVn', 'XWEn3dTATB', 'KJQnAlBQcb', 'naenNGwcYj', 'PbCnKTbH3k', 'OtxnddDYZr', 'fJwnrvQZgf'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, slVDVLBqMXcMQu6e1t.cs	High entropy of concatenated method names: 'ToString', 'ElkDJug5Ly', 'AHYDOLNbcW', 'YOyDmcv6wE', 'S1TDggRF6w', 'nNYD7Jyq5a', 'zFADXInaRi', 'jhgDqyKe3o', 'kHiDjTkeoB', 'EykDPumPPW'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, BnQrcqiscApvrapbDw.cs	High entropy of concatenated method names: 'YUyBoo8tKW', 'vepBt43Ssn', 'ePiBeT8Yxb', 'KACBVgbJtX', 'PZhBOvrAWj', 'RksBmB0uZp', 'y5NBgNIowE', 'oUlB74mZ4E', 'PwJBXQsUnj', 'QrEBqaju1M'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, Eb7IhLjibfvCytpKqj.cs	High entropy of concatenated method names: 'JMKa81L83W', 'Dbvak9hc7a', 'WgqaFBvBgC', 'FMnaOakhg7', 'sHjagcQQoq', 'UKZa7b3Uiu', 'PdpaqfBQV1', 'mpcaj0uLs9', 'gWvaowBRfK', 'MbAaJE9X9h'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, DCHyiIOxDrHR7VSveM.cs	High entropy of concatenated method names: 'BNDLESXONU', 'PceLbxp4Pf', 'UORLTKoBJf', 'g3BL6qfEqa', 'kScLW476HM', 'DOKLUO9MAW', 'BypL1iEsXX', 'XKGL8Is1Ky', 'hPPLk77lIm', 'ChqLQS7syS'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, xBY3PDf6vJKGLwNm7f.cs	High entropy of concatenated method names: 't3ofpAuFfT', 'YxsfCNdPVh', 'OKufiLHcdm', 'LGWfMNN43r', 'uyQfnggVuP', 'mgPf2jNr6V', 'mQdfIWVWHm', 'ukAYNZmJgs', 'Wa7YK4bFVT', 'x3dYdE0ABI'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, PAX83uVRoxbuu33iX2.cs	High entropy of concatenated method names: 'H2my6UinGS', 'yTJyU9yh1q', 'vNIy86SV27', 'LKRykfSWsM', 'MhCyBYADqi', 'vjsyDD36U5', 'NBOyhk6G33', 'SFEyYyusCX', 'WqlyfG7Sc6', 'Rk6yH3UXZK'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, MX5baKcQduoLnQSywj2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vClHenUyGC', 'KdLHVVtiwo', 'K8aHxRkgAo', 'TaHH0a4OQL', 'dXyH32Cbv9', 'kwRHAFYBYM', 'pkcHNsDGGr'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, In7BZMgDRbJ4pDwyHe.cs	High entropy of concatenated method names: 'z642WPaFfk', 'wC721spJRE', 'uwcymcn0uO', 'jILygxnXRc', 'Vb5y7mTJNr', 'FOiyXTTL4y', 'Bojyqd7vUK', 'bs4yjdqAV3', 'JG7yPwFuCi', 'EIpyov6NJG'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, hUKFKiDa9vnGoj4IHO.cs	High entropy of concatenated method names: 'L7WpL2Sjkg', 'Vt6pcxLSTR', 'A7npv5wXu2', 'PQTpwXKO5S', 'H9SpBPEwln', 'qQApDwANAD', 'nTVUA4XV7vdQ4JYNam', 'F7lhIDklslo9w4ydvN', 'MRCpp3AII7', 'SGjpCx8mDc'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, lAKyrUYDFF0BNXKK8u.cs	High entropy of concatenated method names: 'fHsIZwds5C', 'hoiIncXLYy', 'XmLI2NTyNA', 'Uj0IL7xqsk', 'jskIcWymSE', 'xF123WpVM3', 'UIP2ALJFkm', 'W0f2N40aIC', 'f3u2KJb0y8', 'vR22dtxQFC'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, rO5HpeSsG7mJALEoTd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ntg5d1hw9Y', 'fIT5rdnW5m', 'bBs5zhoMqE', 'VMRClRceSW', 'R5JCp0KAox', 'ljTC5Bipwi', 'je9CCCJ2Wu', 'l6ZoEDvSQFxVKLWH64a'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, QxAaJdyfkcOUsLDeE2.cs	High entropy of concatenated method names: 'PKOYFLgmSh', 'FiMYOa5pSX', 'LY4Yma1R1m', 'NubYgc6FQ1', 'UUqYeCEnCw', 'jfMY7BLGkq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, al6DtAccKrL4Xnsi1t5.cs	High entropy of concatenated method names: 'ToString', 'PGmHC12sIp', 'RWNHi0Q4ir', 'rwAHZWlHlM', 'FMZHMw6qE7', 'VdjHnAamOD', 'bDkHyg8n2x', 'JI7H2QFn5p', 'lavvOHM1JQKD5EqFaFx', 'wVUVafMDsLAnLJuOCnG'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, b4uOTsniPy7tMYIvRh.cs	High entropy of concatenated method names: 'rQCTEDV4V', 'VMr6iPJum', 'TE5UD3LfQ', 'Uj112kOf4', 'EELkS6mHo', 'geBQmKGwT', 'EY8VogdrKpyBPkc882', 'yVPorZyoguIhDIBPBL', 'pVyYMhrRf', 'IV3HvtbNv'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, Yb2S65W4SnJy6QSjeK.cs	High entropy of concatenated method names: 'DwLhKLfe07', 'EJXhr5H0YV', 'yToYlCojkB', 'Y9bYplcvr1', 'G69hJX3mjk', 'XG3ht0wW82', 'CDJhRq5jGw', 'Xephe8x2WA', 'A6WhVA67oX', 'rkLhxUoNDR'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	High entropy of concatenated method names: 'Pu7CZuhybF', 'ptPCMBE3c5', 'Sn1CnpfHcy', 'bZICyuvZgW', 'wslC2RmrrC', 'phoCIOaAmD', 'RMKCLglRjC', 'r3hCc9bcqf', 'BI5CGCkbEU', 'YudCv1vP49'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, YlZ82i7i9TZ0SdYkcJ.cs	High entropy of concatenated method names: 'Dispose', 'XQ5pd6c35Z', 'G3R5OROSor', 'xmjssuJwoV', 'iSipr9qpfv', 'HeFpzpWx0e', 'ProcessDialogKey', 's9t5lCpxPc', 'E785p5F4GK', 'T0q55iLMtp'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, hwWW4hCnmpMqoYbmje.cs	High entropy of concatenated method names: 'z9pYMZULlx', 'GFeYnXwfCD', 'Md8YyRCE6Z', 'seSY2VKEbT', 'Eh2YI5MFYG', 'xUUYLAqXcu', 'hvAYcNxUnY', 'GxQYGAefmh', 'ei2YvWm535', 'C2fYwScOo5'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, Fhn3qXhQZ2H48RDDPl.cs	High entropy of concatenated method names: 'VAILMC6uWX', 'J9MLyqg2Hh', 'I7BLIEb6Jo', 'BsxIrct7Eg', 'oMqIzcUbwV', 'Iy6Lljtul3', 'hqDLpY4gWQ', 'tu6L55EE72', 'pYBLCSX5e5', 'MSmLiI4tV2'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, SijOYSc51G5UnH6HmiJ.cs	High entropy of concatenated method names: 'tCufEVSMbR', 's3vfbQTajS', 'rNafTvEZgM', 'VaTf6EBkDr', 'DJEfW8pfsF', 'SHqfU0v1uE', 'ESgf1BThVT', 'yUyf8uf1IJ', 'ACsfkhmvD2', 'tdrfQSN3eA'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, zgmIucz84CQcRCApdO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zbxfauTMc2', 'JSffBwA6Bm', 'lRmfDVGfHs', 'n1ffhmUg41', 'kAjfYbcf26', 'Q95ffPxqju', 'lSMfHKVasR'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, RJD2yDAA3mME3n9aB8.cs	High entropy of concatenated method names: 'tvyneLMUuW', 'ge7nVaXliv', 'IqhnxI3Cpg', 'EtHn0smVVn', 'XWEn3dTATB', 'KJQnAlBQcb', 'naenNGwcYj', 'PbCnKTbH3k', 'OtxnddDYZr', 'fJwnrvQZgf'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, slVDVLBqMXcMQu6e1t.cs	High entropy of concatenated method names: 'ToString', 'ElkDJug5Ly', 'AHYDOLNbcW', 'YOyDmcv6wE', 'S1TDggRF6w', 'nNYD7Jyq5a', 'zFADXInaRi', 'jhgDqyKe3o', 'kHiDjTkeoB', 'EykDPumPPW'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, BnQrcqiscApvrapbDw.cs	High entropy of concatenated method names: 'YUyBoo8tKW', 'vepBt43Ssn', 'ePiBeT8Yxb', 'KACBVgbJtX', 'PZhBOvrAWj', 'RksBmB0uZp', 'y5NBgNIowE', 'oUlB74mZ4E', 'PwJBXQsUnj', 'QrEBqaju1M'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, Eb7IhLjibfvCytpKqj.cs	High entropy of concatenated method names: 'JMKa81L83W', 'Dbvak9hc7a', 'WgqaFBvBgC', 'FMnaOakhg7', 'sHjagcQQoq', 'UKZa7b3Uiu', 'PdpaqfBQV1', 'mpcaj0uLs9', 'gWvaowBRfK', 'MbAaJE9X9h'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, DCHyiIOxDrHR7VSveM.cs	High entropy of concatenated method names: 'BNDLESXONU', 'PceLbxp4Pf', 'UORLTKoBJf', 'g3BL6qfEqa', 'kScLW476HM', 'DOKLUO9MAW', 'BypL1iEsXX', 'XKGL8Is1Ky', 'hPPLk77lIm', 'ChqLQS7syS'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, xBY3PDf6vJKGLwNm7f.cs	High entropy of concatenated method names: 't3ofpAuFfT', 'YxsfCNdPVh', 'OKufiLHcdm', 'LGWfMNN43r', 'uyQfnggVuP', 'mgPf2jNr6V', 'mQdfIWVWHm', 'ukAYNZmJgs', 'Wa7YK4bFVT', 'x3dYdE0ABI'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, PAX83uVRoxbuu33iX2.cs	High entropy of concatenated method names: 'H2my6UinGS', 'yTJyU9yh1q', 'vNIy86SV27', 'LKRykfSWsM', 'MhCyBYADqi', 'vjsyDD36U5', 'NBOyhk6G33', 'SFEyYyusCX', 'WqlyfG7Sc6', 'Rk6yH3UXZK'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, MX5baKcQduoLnQSywj2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vClHenUyGC', 'KdLHVVtiwo', 'K8aHxRkgAo', 'TaHH0a4OQL', 'dXyH32Cbv9', 'kwRHAFYBYM', 'pkcHNsDGGr'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, In7BZMgDRbJ4pDwyHe.cs	High entropy of concatenated method names: 'z642WPaFfk', 'wC721spJRE', 'uwcymcn0uO', 'jILygxnXRc', 'Vb5y7mTJNr', 'FOiyXTTL4y', 'Bojyqd7vUK', 'bs4yjdqAV3', 'JG7yPwFuCi', 'EIpyov6NJG'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, hUKFKiDa9vnGoj4IHO.cs	High entropy of concatenated method names: 'L7WpL2Sjkg', 'Vt6pcxLSTR', 'A7npv5wXu2', 'PQTpwXKO5S', 'H9SpBPEwln', 'qQApDwANAD', 'nTVUA4XV7vdQ4JYNam', 'F7lhIDklslo9w4ydvN', 'MRCpp3AII7', 'SGjpCx8mDc'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, lAKyrUYDFF0BNXKK8u.cs	High entropy of concatenated method names: 'fHsIZwds5C', 'hoiIncXLYy', 'XmLI2NTyNA', 'Uj0IL7xqsk', 'jskIcWymSE', 'xF123WpVM3', 'UIP2ALJFkm', 'W0f2N40aIC', 'f3u2KJb0y8', 'vR22dtxQFC'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, rO5HpeSsG7mJALEoTd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ntg5d1hw9Y', 'fIT5rdnW5m', 'bBs5zhoMqE', 'VMRClRceSW', 'R5JCp0KAox', 'ljTC5Bipwi', 'je9CCCJ2Wu', 'l6ZoEDvSQFxVKLWH64a'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, QxAaJdyfkcOUsLDeE2.cs	High entropy of concatenated method names: 'PKOYFLgmSh', 'FiMYOa5pSX', 'LY4Yma1R1m', 'NubYgc6FQ1', 'UUqYeCEnCw', 'jfMY7BLGkq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, al6DtAccKrL4Xnsi1t5.cs	High entropy of concatenated method names: 'ToString', 'PGmHC12sIp', 'RWNHi0Q4ir', 'rwAHZWlHlM', 'FMZHMw6qE7', 'VdjHnAamOD', 'bDkHyg8n2x', 'JI7H2QFn5p', 'lavvOHM1JQKD5EqFaFx', 'wVUVafMDsLAnLJuOCnG'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, b4uOTsniPy7tMYIvRh.cs	High entropy of concatenated method names: 'rQCTEDV4V', 'VMr6iPJum', 'TE5UD3LfQ', 'Uj112kOf4', 'EELkS6mHo', 'geBQmKGwT', 'EY8VogdrKpyBPkc882', 'yVPorZyoguIhDIBPBL', 'pVyYMhrRf', 'IV3HvtbNv'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, Yb2S65W4SnJy6QSjeK.cs	High entropy of concatenated method names: 'DwLhKLfe07', 'EJXhr5H0YV', 'yToYlCojkB', 'Y9bYplcvr1', 'G69hJX3mjk', 'XG3ht0wW82', 'CDJhRq5jGw', 'Xephe8x2WA', 'A6WhVA67oX', 'rkLhxUoNDR'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	High entropy of concatenated method names: 'Pu7CZuhybF', 'ptPCMBE3c5', 'Sn1CnpfHcy', 'bZICyuvZgW', 'wslC2RmrrC', 'phoCIOaAmD', 'RMKCLglRjC', 'r3hCc9bcqf', 'BI5CGCkbEU', 'YudCv1vP49'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, YlZ82i7i9TZ0SdYkcJ.cs	High entropy of concatenated method names: 'Dispose', 'XQ5pd6c35Z', 'G3R5OROSor', 'xmjssuJwoV', 'iSipr9qpfv', 'HeFpzpWx0e', 'ProcessDialogKey', 's9t5lCpxPc', 'E785p5F4GK', 'T0q55iLMtp'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, hwWW4hCnmpMqoYbmje.cs	High entropy of concatenated method names: 'z9pYMZULlx', 'GFeYnXwfCD', 'Md8YyRCE6Z', 'seSY2VKEbT', 'Eh2YI5MFYG', 'xUUYLAqXcu', 'hvAYcNxUnY', 'GxQYGAefmh', 'ei2YvWm535', 'C2fYwScOo5'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, Fhn3qXhQZ2H48RDDPl.cs	High entropy of concatenated method names: 'VAILMC6uWX', 'J9MLyqg2Hh', 'I7BLIEb6Jo', 'BsxIrct7Eg', 'oMqIzcUbwV', 'Iy6Lljtul3', 'hqDLpY4gWQ', 'tu6L55EE72', 'pYBLCSX5e5', 'MSmLiI4tV2'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, SijOYSc51G5UnH6HmiJ.cs	High entropy of concatenated method names: 'tCufEVSMbR', 's3vfbQTajS', 'rNafTvEZgM', 'VaTf6EBkDr', 'DJEfW8pfsF', 'SHqfU0v1uE', 'ESgf1BThVT', 'yUyf8uf1IJ', 'ACsfkhmvD2', 'tdrfQSN3eA'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, zgmIucz84CQcRCApdO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zbxfauTMc2', 'JSffBwA6Bm', 'lRmfDVGfHs', 'n1ffhmUg41', 'kAjfYbcf26', 'Q95ffPxqju', 'lSMfHKVasR'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, RJD2yDAA3mME3n9aB8.cs	High entropy of concatenated method names: 'tvyneLMUuW', 'ge7nVaXliv', 'IqhnxI3Cpg', 'EtHn0smVVn', 'XWEn3dTATB', 'KJQnAlBQcb', 'naenNGwcYj', 'PbCnKTbH3k', 'OtxnddDYZr', 'fJwnrvQZgf'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, slVDVLBqMXcMQu6e1t.cs	High entropy of concatenated method names: 'ToString', 'ElkDJug5Ly', 'AHYDOLNbcW', 'YOyDmcv6wE', 'S1TDggRF6w', 'nNYD7Jyq5a', 'zFADXInaRi', 'jhgDqyKe3o', 'kHiDjTkeoB', 'EykDPumPPW'

Drops PE files

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 5C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 6C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 5350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 5850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 4E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 6850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 2F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 3130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 5130000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7644	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8012	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Window / User API: threadDelayed 3243	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Window / User API: threadDelayed 6577	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Window / User API: threadDelayed 2752
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Window / User API: threadDelayed 7088

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 7644 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 348 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8064	Thread sleep count: 3243 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99635s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99420s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99273s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8064	Thread sleep count: 6577 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97237s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94847s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94277s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94057s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -93951s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -92362s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 8080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 996	Thread sleep count: 2752 > 30
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 996	Thread sleep count: 7088 > 30
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99670s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99561s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99342s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99086s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98969s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98856s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98120s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97891s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97313s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97195s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97091s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96976s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96860s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96750s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96516s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96391s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96172s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95813s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95594s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95469s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95359s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95250s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95141s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95031s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94915s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94797s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94672s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94563s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94219s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99635	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99420	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99273	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99044	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97237	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94847	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94719	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94594	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94277	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94172	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94057	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 93951	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 92362	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99670
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99561
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99342
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99086
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98969
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98856
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98735
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98120
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98000
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97891
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97766
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97656
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97547
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97438
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97313
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97195
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97091
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96976
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96860
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96750
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96641
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96516
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96391
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96281
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96172
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95938
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95813
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95703
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95594
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95469
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95359
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95250
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95141
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95031
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94915
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94797
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94672
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94563
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94438
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94328
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94219

Source: ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: e-dekont_html.scr.exe, 00000009.00000002.2610403456.0000000001442000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory written: C:\Users\user\Desktop\e-dekont_html.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory written: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpD022.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Users\user\Desktop\e-dekont_html.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Users\user\Desktop\e-dekont_html.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.000000000317E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 1532, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 1532, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.000000000317E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 1532, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.174.175.187	cp8nl.hyperhost.ua	Ukraine		21100	ITLDC-NLUA	false

Contacted Domains

Name	IP	Active
cp8nl.hyperhost.ua	185.174.175.187	true

AV Detection

Found malware configuration

Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$ "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Virustotal: Detection: 37%			Perma Link

Multi AV Scanner detection for submitted file

Source: e-dekont_html.scr.exe	ReversingLabs: Detection: 31%
Source: e-dekont_html.scr.exe	Virustotal: Detection: 37%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: e-dekont_html.scr.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Unpacked PE file: 1.2.e-dekont_html.scr.exe.6b0000.0.unpack

Uses 32bit PE files

Source: e-dekont_html.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: e-dekont_html.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CE27B
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CE1B7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CDE28
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 4x nop then jmp 029CE7EFh	1_2_029CDF11
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 4x nop then jmp 0273DA47h	10_2_0273D080
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 4x nop then jmp 0273DA47h	10_2_0273D169
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 4x nop then jmp 0273DA47h	10_2_0273D4D3

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49712 -> 185.174.175.187:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.174.175.187 185.174.175.187

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.8:49712 -> 185.174.175.187:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: cp8nl.hyperhost.ua

Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp8nl.hyperhost.ua
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AEA000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/7
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.co=
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: e-dekont_html.scr.exe, 00000001.00000002.1455141178.0000000002C55000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000A.00000002.1550186245.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: e-dekont_html.scr.exe, 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: e-dekont_html.scr.exe, 00000009.00000002.2612262125.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.scr.exe, 00000009.00000002.2628657547.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2612303414.0000000003186000.00000004.00000800.00020000.00000000.sdmp, ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: e-dekont_html.scr.exe, ZRbgEuSJYOgOl.exe.1.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, hxAF.cs	.Net Code: gcE
Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, hxAF.cs	.Net Code: gcE

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 1.2.e-dekont_html.scr.exe.2bb24e0.5.raw.unpack, SQL.cs	Large array initialization: : array initializer size 13797
Source: 1.2.e-dekont_html.scr.exe.2940000.1.raw.unpack, SQL.cs	Large array initialization: : array initializer size 13797

Detected potential crypto function

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4039	1_2_00FD4039
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4710	1_2_00FD4710
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4CF4	1_2_00FD4CF4
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD5EB8	1_2_00FD5EB8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD40FE	1_2_00FD40FE
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD40CF	1_2_00FD40CF
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD418A	1_2_00FD418A
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4156	1_2_00FD4156
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD42B9	1_2_00FD42B9
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD7390	1_2_00FD7390
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD7380	1_2_00FD7380
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD4700	1_2_00FD4700
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD6820	1_2_00FD6820
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD6810	1_2_00FD6810
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD5DD9	1_2_00FD5DD9
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C9798	1_2_029C9798
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C97A8	1_2_029C97A8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C8730	1_2_029C8730
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029CF560	1_2_029CF560
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C6A9F	1_2_029C6A9F
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029CDBC1	1_2_029CDBC1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C8B58	1_2_029C8B58
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C8B68	1_2_029C8B68
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029C6F28	1_2_029C6F28
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_029CAC48	1_2_029CAC48
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096A1138	1_2_096A1138
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096A53D8	1_2_096A53D8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096BF990	1_2_096BF990
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096BA0B7	1_2_096BA0B7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096B7A00	1_2_096B7A00
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096BB2E0	1_2_096BB2E0
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096B79F1	1_2_096B79F1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096B45BD	1_2_096B45BD
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09B0F090	1_2_09B0F090
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09B03C10	1_2_09B03C10
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2B9CF0	1_2_0B2B9CF0
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2B2420	1_2_0B2B2420
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2BE498	1_2_0B2BE498
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2B4280	1_2_0B2B4280
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2BE641	1_2_0B2BE641
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2E1928	1_2_0B2E1928
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015E4A98	9_2_015E4A98
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015ECE8E	9_2_015ECE8E
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015E3E80	9_2_015E3E80
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_015E41C8	9_2_015E41C8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D2EF8	9_2_065D2EF8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D56E8	9_2_065D56E8
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D3F58	9_2_065D3F58
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065DDCCD	9_2_065DDCCD
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065DBD10	9_2_065DBD10
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D8B9B	9_2_065D8B9B
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D0040	9_2_065D0040
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D3653	9_2_065D3653
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 9_2_065D5008	9_2_065D5008
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44039	10_2_00A44039
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44710	10_2_00A44710
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44CF4	10_2_00A44CF4
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45EB8	10_2_00A45EB8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A440FE	10_2_00A440FE
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A440CF	10_2_00A440CF
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4418A	10_2_00A4418A
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44156	10_2_00A44156
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A442B9	10_2_00A442B9
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4738F	10_2_00A4738F
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47390	10_2_00A47390
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A44700	10_2_00A44700
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46820	10_2_00A46820
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4681F	10_2_00A4681F
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45DD9	10_2_00A45DD9
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02738730	10_2_02738730
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0273E7C0	10_2_0273E7C0
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0273E7B1	10_2_0273E7B1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_027397A1	10_2_027397A1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_027397A8	10_2_027397A8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02736AF1	10_2_02736AF1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02738B68	10_2_02738B68
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02738B58	10_2_02738B58
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_02736F28	10_2_02736F28
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0273AC48	10_2_0273AC48
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CC67D8	10_2_04CC67D8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CC67D3	10_2_04CC67D3
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CCD138	10_2_04CCD138
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CCD133	10_2_04CCD133
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_04CC4864	10_2_04CC4864
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_07C6B578	10_2_07C6B578
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_07C6B56B	10_2_07C6B56B
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DD1138	10_2_08DD1138
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DD53D8	10_2_08DD53D8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DD53C7	10_2_08DD53C7
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE5038	10_2_08DE5038
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE49F8	10_2_08DE49F8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE4A00	10_2_08DE4A00
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE458F	10_2_08DE458F
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_08DE45A0	10_2_08DE45A0
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0923F090	10_2_0923F090
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0923DCC8	10_2_0923DCC8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_09233C10	10_2_09233C10
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA5A388	10_2_0AA5A388
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA5E498	10_2_0AA5E498
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA52420	10_2_0AA52420
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA54270	10_2_0AA54270
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_0AA5E641	10_2_0AA5E641
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE4A98	14_2_02FE4A98
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE9B28	14_2_02FE9B28
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE3E80	14_2_02FE3E80
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FECDA8	14_2_02FECDA8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_02FE41C8	14_2_02FE41C8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_066856E8	14_2_066856E8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06682EF8	14_2_06682EF8
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06683F58	14_2_06683F58
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_0668DD18	14_2_0668DD18
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06688B9B	14_2_06688B9B
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06680040	14_2_06680040
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06683668	14_2_06683668
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06685008	14_2_06685008
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06EBB308	14_2_06EBB308
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06EBB307	14_2_06EBB307
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 14_2_06EB9858	14_2_06EB9858

PE / OLE file has an invalid certificate

Source: e-dekont_html.scr.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: e-dekont_html.scr.exe, 00000001.00000002.1455141178.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1466279913.000000000B590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1455141178.0000000002C55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1454886468.0000000002940000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000000.1356411107.00000000006B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLBwG.exe: vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1453634826.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1464380345.000000000B252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLBwG.exe: vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000001.00000002.1457375395.00000000047F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe, 00000009.00000002.2608839721.0000000001159000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs e-dekont_html.scr.exe
Source: e-dekont_html.scr.exe	Binary or memory string: OriginalFilenameLBwG.exe: vs e-dekont_html.scr.exe

Uses 32bit PE files

Source: e-dekont_html.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: e-dekont_html.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZRbgEuSJYOgOl.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: _0020.AddAccessRule
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: _0020.AddAccessRule
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, RJD2yDAA3mME3n9aB8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, RJD2yDAA3mME3n9aB8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, RJD2yDAA3mME3n9aB8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@1/1

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Mutant created: \Sessions\1\BaseNamedObjects\HPDeNUPQPJYlUpFApIqGxGZiQ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA98F.tmp

Jump to behavior

Source: e-dekont_html.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: e-dekont_html.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e-dekont_html.scr.exe	ReversingLabs: Detection: 31%
Source: e-dekont_html.scr.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File read: C:\Users\user\Desktop\e-dekont_html.scr.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpD022.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpD022.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: e-dekont_html.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e-dekont_html.scr.exe

Static file information: File size 1053704 > 1048576

Source: e-dekont_html.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Unpacked PE file: 1.2.e-dekont_html.scr.exe.6b0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Unpacked PE file: 1.2.e-dekont_html.scr.exe.6b0000.0.unpack

.NET source code contains potential unpacker

Source: 1.2.e-dekont_html.scr.exe.2bb24e0.5.raw.unpack, SQL.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	.Net Code: BlDiTS8iJn System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	.Net Code: BlDiTS8iJn System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.2940000.1.raw.unpack, SQL.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	.Net Code: BlDiTS8iJn System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_00FD5809 push ebp; iretd	1_2_00FD5814
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096ACF79 push esi; retf	1_2_096ACF7A
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB1B0 push ebp; retf	1_2_096AB1B7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB277 push 00000009h; iretd	1_2_096AB400
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB473 push 00000009h; iretd	1_2_096AB400
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_096AB402 push 00000009h; iretd	1_2_096AB400
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09AF1E89 push ebx; retf	1_2_09AF1E8A
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_09AF2EE5 push esp; retf	1_2_09AF2EE7
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2D211D pushfd ; iretd	1_2_0B2D211E
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Code function: 1_2_0B2D47EE push ss; ret	1_2_0B2D47EF
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47009 push ecx; ret	10_2_00A47016
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A462F0 push edx; ret	10_2_00A462FE
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45208 push ecx; ret	10_2_00A45216
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47380 push esp; ret	10_2_00A4738E
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A465B8 push ebp; ret	10_2_00A465C6
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46560 push ebp; ret	10_2_00A46567
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A47610 push esp; ret	10_2_00A4761E
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46720 push eax; ret	10_2_00A4672E
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4574A push edx; ret	10_2_00A4574C
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A458B0 push edx; ret	10_2_00A458B2
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A4583C push edi; ret	10_2_00A4583D
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45809 push ebp; iretd	10_2_00A45814
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45937 push edi; ret	10_2_00A45938
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45AD1 push edx; ret	10_2_00A45AD3
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45ADD push edx; ret	10_2_00A45ADF
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45B01 push ecx; ret	10_2_00A45B03
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45B42 push eax; ret	10_2_00A45B43
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45CA0 push ecx; ret	10_2_00A45CA2
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A45C92 push edx; ret	10_2_00A45C94
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46CC8 push 4F340279h; ret	10_2_00A46DDE
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Code function: 10_2_00A46DD0 push 4F340279h; ret	10_2_00A46DDE

Source: e-dekont_html.scr.exe	Static PE information: section name: .text entropy: 7.604412881501509
Source: ZRbgEuSJYOgOl.exe.1.dr	Static PE information: section name: .text entropy: 7.604412881501509

Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, BnQrcqiscApvrapbDw.cs	High entropy of concatenated method names: 'YUyBoo8tKW', 'vepBt43Ssn', 'ePiBeT8Yxb', 'KACBVgbJtX', 'PZhBOvrAWj', 'RksBmB0uZp', 'y5NBgNIowE', 'oUlB74mZ4E', 'PwJBXQsUnj', 'QrEBqaju1M'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, Eb7IhLjibfvCytpKqj.cs	High entropy of concatenated method names: 'JMKa81L83W', 'Dbvak9hc7a', 'WgqaFBvBgC', 'FMnaOakhg7', 'sHjagcQQoq', 'UKZa7b3Uiu', 'PdpaqfBQV1', 'mpcaj0uLs9', 'gWvaowBRfK', 'MbAaJE9X9h'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, DCHyiIOxDrHR7VSveM.cs	High entropy of concatenated method names: 'BNDLESXONU', 'PceLbxp4Pf', 'UORLTKoBJf', 'g3BL6qfEqa', 'kScLW476HM', 'DOKLUO9MAW', 'BypL1iEsXX', 'XKGL8Is1Ky', 'hPPLk77lIm', 'ChqLQS7syS'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, xBY3PDf6vJKGLwNm7f.cs	High entropy of concatenated method names: 't3ofpAuFfT', 'YxsfCNdPVh', 'OKufiLHcdm', 'LGWfMNN43r', 'uyQfnggVuP', 'mgPf2jNr6V', 'mQdfIWVWHm', 'ukAYNZmJgs', 'Wa7YK4bFVT', 'x3dYdE0ABI'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, PAX83uVRoxbuu33iX2.cs	High entropy of concatenated method names: 'H2my6UinGS', 'yTJyU9yh1q', 'vNIy86SV27', 'LKRykfSWsM', 'MhCyBYADqi', 'vjsyDD36U5', 'NBOyhk6G33', 'SFEyYyusCX', 'WqlyfG7Sc6', 'Rk6yH3UXZK'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, MX5baKcQduoLnQSywj2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vClHenUyGC', 'KdLHVVtiwo', 'K8aHxRkgAo', 'TaHH0a4OQL', 'dXyH32Cbv9', 'kwRHAFYBYM', 'pkcHNsDGGr'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, In7BZMgDRbJ4pDwyHe.cs	High entropy of concatenated method names: 'z642WPaFfk', 'wC721spJRE', 'uwcymcn0uO', 'jILygxnXRc', 'Vb5y7mTJNr', 'FOiyXTTL4y', 'Bojyqd7vUK', 'bs4yjdqAV3', 'JG7yPwFuCi', 'EIpyov6NJG'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, hUKFKiDa9vnGoj4IHO.cs	High entropy of concatenated method names: 'L7WpL2Sjkg', 'Vt6pcxLSTR', 'A7npv5wXu2', 'PQTpwXKO5S', 'H9SpBPEwln', 'qQApDwANAD', 'nTVUA4XV7vdQ4JYNam', 'F7lhIDklslo9w4ydvN', 'MRCpp3AII7', 'SGjpCx8mDc'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, lAKyrUYDFF0BNXKK8u.cs	High entropy of concatenated method names: 'fHsIZwds5C', 'hoiIncXLYy', 'XmLI2NTyNA', 'Uj0IL7xqsk', 'jskIcWymSE', 'xF123WpVM3', 'UIP2ALJFkm', 'W0f2N40aIC', 'f3u2KJb0y8', 'vR22dtxQFC'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, rO5HpeSsG7mJALEoTd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ntg5d1hw9Y', 'fIT5rdnW5m', 'bBs5zhoMqE', 'VMRClRceSW', 'R5JCp0KAox', 'ljTC5Bipwi', 'je9CCCJ2Wu', 'l6ZoEDvSQFxVKLWH64a'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, QxAaJdyfkcOUsLDeE2.cs	High entropy of concatenated method names: 'PKOYFLgmSh', 'FiMYOa5pSX', 'LY4Yma1R1m', 'NubYgc6FQ1', 'UUqYeCEnCw', 'jfMY7BLGkq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, al6DtAccKrL4Xnsi1t5.cs	High entropy of concatenated method names: 'ToString', 'PGmHC12sIp', 'RWNHi0Q4ir', 'rwAHZWlHlM', 'FMZHMw6qE7', 'VdjHnAamOD', 'bDkHyg8n2x', 'JI7H2QFn5p', 'lavvOHM1JQKD5EqFaFx', 'wVUVafMDsLAnLJuOCnG'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, b4uOTsniPy7tMYIvRh.cs	High entropy of concatenated method names: 'rQCTEDV4V', 'VMr6iPJum', 'TE5UD3LfQ', 'Uj112kOf4', 'EELkS6mHo', 'geBQmKGwT', 'EY8VogdrKpyBPkc882', 'yVPorZyoguIhDIBPBL', 'pVyYMhrRf', 'IV3HvtbNv'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, Yb2S65W4SnJy6QSjeK.cs	High entropy of concatenated method names: 'DwLhKLfe07', 'EJXhr5H0YV', 'yToYlCojkB', 'Y9bYplcvr1', 'G69hJX3mjk', 'XG3ht0wW82', 'CDJhRq5jGw', 'Xephe8x2WA', 'A6WhVA67oX', 'rkLhxUoNDR'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, FbuB85sRXgHQukwMDs.cs	High entropy of concatenated method names: 'Pu7CZuhybF', 'ptPCMBE3c5', 'Sn1CnpfHcy', 'bZICyuvZgW', 'wslC2RmrrC', 'phoCIOaAmD', 'RMKCLglRjC', 'r3hCc9bcqf', 'BI5CGCkbEU', 'YudCv1vP49'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, YlZ82i7i9TZ0SdYkcJ.cs	High entropy of concatenated method names: 'Dispose', 'XQ5pd6c35Z', 'G3R5OROSor', 'xmjssuJwoV', 'iSipr9qpfv', 'HeFpzpWx0e', 'ProcessDialogKey', 's9t5lCpxPc', 'E785p5F4GK', 'T0q55iLMtp'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, hwWW4hCnmpMqoYbmje.cs	High entropy of concatenated method names: 'z9pYMZULlx', 'GFeYnXwfCD', 'Md8YyRCE6Z', 'seSY2VKEbT', 'Eh2YI5MFYG', 'xUUYLAqXcu', 'hvAYcNxUnY', 'GxQYGAefmh', 'ei2YvWm535', 'C2fYwScOo5'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, Fhn3qXhQZ2H48RDDPl.cs	High entropy of concatenated method names: 'VAILMC6uWX', 'J9MLyqg2Hh', 'I7BLIEb6Jo', 'BsxIrct7Eg', 'oMqIzcUbwV', 'Iy6Lljtul3', 'hqDLpY4gWQ', 'tu6L55EE72', 'pYBLCSX5e5', 'MSmLiI4tV2'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, SijOYSc51G5UnH6HmiJ.cs	High entropy of concatenated method names: 'tCufEVSMbR', 's3vfbQTajS', 'rNafTvEZgM', 'VaTf6EBkDr', 'DJEfW8pfsF', 'SHqfU0v1uE', 'ESgf1BThVT', 'yUyf8uf1IJ', 'ACsfkhmvD2', 'tdrfQSN3eA'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, zgmIucz84CQcRCApdO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zbxfauTMc2', 'JSffBwA6Bm', 'lRmfDVGfHs', 'n1ffhmUg41', 'kAjfYbcf26', 'Q95ffPxqju', 'lSMfHKVasR'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, RJD2yDAA3mME3n9aB8.cs	High entropy of concatenated method names: 'tvyneLMUuW', 'ge7nVaXliv', 'IqhnxI3Cpg', 'EtHn0smVVn', 'XWEn3dTATB', 'KJQnAlBQcb', 'naenNGwcYj', 'PbCnKTbH3k', 'OtxnddDYZr', 'fJwnrvQZgf'
Source: 1.2.e-dekont_html.scr.exe.49fc188.15.raw.unpack, slVDVLBqMXcMQu6e1t.cs	High entropy of concatenated method names: 'ToString', 'ElkDJug5Ly', 'AHYDOLNbcW', 'YOyDmcv6wE', 'S1TDggRF6w', 'nNYD7Jyq5a', 'zFADXInaRi', 'jhgDqyKe3o', 'kHiDjTkeoB', 'EykDPumPPW'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, BnQrcqiscApvrapbDw.cs	High entropy of concatenated method names: 'YUyBoo8tKW', 'vepBt43Ssn', 'ePiBeT8Yxb', 'KACBVgbJtX', 'PZhBOvrAWj', 'RksBmB0uZp', 'y5NBgNIowE', 'oUlB74mZ4E', 'PwJBXQsUnj', 'QrEBqaju1M'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, Eb7IhLjibfvCytpKqj.cs	High entropy of concatenated method names: 'JMKa81L83W', 'Dbvak9hc7a', 'WgqaFBvBgC', 'FMnaOakhg7', 'sHjagcQQoq', 'UKZa7b3Uiu', 'PdpaqfBQV1', 'mpcaj0uLs9', 'gWvaowBRfK', 'MbAaJE9X9h'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, DCHyiIOxDrHR7VSveM.cs	High entropy of concatenated method names: 'BNDLESXONU', 'PceLbxp4Pf', 'UORLTKoBJf', 'g3BL6qfEqa', 'kScLW476HM', 'DOKLUO9MAW', 'BypL1iEsXX', 'XKGL8Is1Ky', 'hPPLk77lIm', 'ChqLQS7syS'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, xBY3PDf6vJKGLwNm7f.cs	High entropy of concatenated method names: 't3ofpAuFfT', 'YxsfCNdPVh', 'OKufiLHcdm', 'LGWfMNN43r', 'uyQfnggVuP', 'mgPf2jNr6V', 'mQdfIWVWHm', 'ukAYNZmJgs', 'Wa7YK4bFVT', 'x3dYdE0ABI'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, PAX83uVRoxbuu33iX2.cs	High entropy of concatenated method names: 'H2my6UinGS', 'yTJyU9yh1q', 'vNIy86SV27', 'LKRykfSWsM', 'MhCyBYADqi', 'vjsyDD36U5', 'NBOyhk6G33', 'SFEyYyusCX', 'WqlyfG7Sc6', 'Rk6yH3UXZK'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, MX5baKcQduoLnQSywj2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vClHenUyGC', 'KdLHVVtiwo', 'K8aHxRkgAo', 'TaHH0a4OQL', 'dXyH32Cbv9', 'kwRHAFYBYM', 'pkcHNsDGGr'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, In7BZMgDRbJ4pDwyHe.cs	High entropy of concatenated method names: 'z642WPaFfk', 'wC721spJRE', 'uwcymcn0uO', 'jILygxnXRc', 'Vb5y7mTJNr', 'FOiyXTTL4y', 'Bojyqd7vUK', 'bs4yjdqAV3', 'JG7yPwFuCi', 'EIpyov6NJG'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, hUKFKiDa9vnGoj4IHO.cs	High entropy of concatenated method names: 'L7WpL2Sjkg', 'Vt6pcxLSTR', 'A7npv5wXu2', 'PQTpwXKO5S', 'H9SpBPEwln', 'qQApDwANAD', 'nTVUA4XV7vdQ4JYNam', 'F7lhIDklslo9w4ydvN', 'MRCpp3AII7', 'SGjpCx8mDc'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, lAKyrUYDFF0BNXKK8u.cs	High entropy of concatenated method names: 'fHsIZwds5C', 'hoiIncXLYy', 'XmLI2NTyNA', 'Uj0IL7xqsk', 'jskIcWymSE', 'xF123WpVM3', 'UIP2ALJFkm', 'W0f2N40aIC', 'f3u2KJb0y8', 'vR22dtxQFC'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, rO5HpeSsG7mJALEoTd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ntg5d1hw9Y', 'fIT5rdnW5m', 'bBs5zhoMqE', 'VMRClRceSW', 'R5JCp0KAox', 'ljTC5Bipwi', 'je9CCCJ2Wu', 'l6ZoEDvSQFxVKLWH64a'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, QxAaJdyfkcOUsLDeE2.cs	High entropy of concatenated method names: 'PKOYFLgmSh', 'FiMYOa5pSX', 'LY4Yma1R1m', 'NubYgc6FQ1', 'UUqYeCEnCw', 'jfMY7BLGkq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, al6DtAccKrL4Xnsi1t5.cs	High entropy of concatenated method names: 'ToString', 'PGmHC12sIp', 'RWNHi0Q4ir', 'rwAHZWlHlM', 'FMZHMw6qE7', 'VdjHnAamOD', 'bDkHyg8n2x', 'JI7H2QFn5p', 'lavvOHM1JQKD5EqFaFx', 'wVUVafMDsLAnLJuOCnG'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, b4uOTsniPy7tMYIvRh.cs	High entropy of concatenated method names: 'rQCTEDV4V', 'VMr6iPJum', 'TE5UD3LfQ', 'Uj112kOf4', 'EELkS6mHo', 'geBQmKGwT', 'EY8VogdrKpyBPkc882', 'yVPorZyoguIhDIBPBL', 'pVyYMhrRf', 'IV3HvtbNv'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, Yb2S65W4SnJy6QSjeK.cs	High entropy of concatenated method names: 'DwLhKLfe07', 'EJXhr5H0YV', 'yToYlCojkB', 'Y9bYplcvr1', 'G69hJX3mjk', 'XG3ht0wW82', 'CDJhRq5jGw', 'Xephe8x2WA', 'A6WhVA67oX', 'rkLhxUoNDR'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, FbuB85sRXgHQukwMDs.cs	High entropy of concatenated method names: 'Pu7CZuhybF', 'ptPCMBE3c5', 'Sn1CnpfHcy', 'bZICyuvZgW', 'wslC2RmrrC', 'phoCIOaAmD', 'RMKCLglRjC', 'r3hCc9bcqf', 'BI5CGCkbEU', 'YudCv1vP49'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, YlZ82i7i9TZ0SdYkcJ.cs	High entropy of concatenated method names: 'Dispose', 'XQ5pd6c35Z', 'G3R5OROSor', 'xmjssuJwoV', 'iSipr9qpfv', 'HeFpzpWx0e', 'ProcessDialogKey', 's9t5lCpxPc', 'E785p5F4GK', 'T0q55iLMtp'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, hwWW4hCnmpMqoYbmje.cs	High entropy of concatenated method names: 'z9pYMZULlx', 'GFeYnXwfCD', 'Md8YyRCE6Z', 'seSY2VKEbT', 'Eh2YI5MFYG', 'xUUYLAqXcu', 'hvAYcNxUnY', 'GxQYGAefmh', 'ei2YvWm535', 'C2fYwScOo5'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, Fhn3qXhQZ2H48RDDPl.cs	High entropy of concatenated method names: 'VAILMC6uWX', 'J9MLyqg2Hh', 'I7BLIEb6Jo', 'BsxIrct7Eg', 'oMqIzcUbwV', 'Iy6Lljtul3', 'hqDLpY4gWQ', 'tu6L55EE72', 'pYBLCSX5e5', 'MSmLiI4tV2'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, SijOYSc51G5UnH6HmiJ.cs	High entropy of concatenated method names: 'tCufEVSMbR', 's3vfbQTajS', 'rNafTvEZgM', 'VaTf6EBkDr', 'DJEfW8pfsF', 'SHqfU0v1uE', 'ESgf1BThVT', 'yUyf8uf1IJ', 'ACsfkhmvD2', 'tdrfQSN3eA'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, zgmIucz84CQcRCApdO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zbxfauTMc2', 'JSffBwA6Bm', 'lRmfDVGfHs', 'n1ffhmUg41', 'kAjfYbcf26', 'Q95ffPxqju', 'lSMfHKVasR'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, RJD2yDAA3mME3n9aB8.cs	High entropy of concatenated method names: 'tvyneLMUuW', 'ge7nVaXliv', 'IqhnxI3Cpg', 'EtHn0smVVn', 'XWEn3dTATB', 'KJQnAlBQcb', 'naenNGwcYj', 'PbCnKTbH3k', 'OtxnddDYZr', 'fJwnrvQZgf'
Source: 1.2.e-dekont_html.scr.exe.4a787a8.16.raw.unpack, slVDVLBqMXcMQu6e1t.cs	High entropy of concatenated method names: 'ToString', 'ElkDJug5Ly', 'AHYDOLNbcW', 'YOyDmcv6wE', 'S1TDggRF6w', 'nNYD7Jyq5a', 'zFADXInaRi', 'jhgDqyKe3o', 'kHiDjTkeoB', 'EykDPumPPW'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, BnQrcqiscApvrapbDw.cs	High entropy of concatenated method names: 'YUyBoo8tKW', 'vepBt43Ssn', 'ePiBeT8Yxb', 'KACBVgbJtX', 'PZhBOvrAWj', 'RksBmB0uZp', 'y5NBgNIowE', 'oUlB74mZ4E', 'PwJBXQsUnj', 'QrEBqaju1M'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, Eb7IhLjibfvCytpKqj.cs	High entropy of concatenated method names: 'JMKa81L83W', 'Dbvak9hc7a', 'WgqaFBvBgC', 'FMnaOakhg7', 'sHjagcQQoq', 'UKZa7b3Uiu', 'PdpaqfBQV1', 'mpcaj0uLs9', 'gWvaowBRfK', 'MbAaJE9X9h'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, DCHyiIOxDrHR7VSveM.cs	High entropy of concatenated method names: 'BNDLESXONU', 'PceLbxp4Pf', 'UORLTKoBJf', 'g3BL6qfEqa', 'kScLW476HM', 'DOKLUO9MAW', 'BypL1iEsXX', 'XKGL8Is1Ky', 'hPPLk77lIm', 'ChqLQS7syS'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, xBY3PDf6vJKGLwNm7f.cs	High entropy of concatenated method names: 't3ofpAuFfT', 'YxsfCNdPVh', 'OKufiLHcdm', 'LGWfMNN43r', 'uyQfnggVuP', 'mgPf2jNr6V', 'mQdfIWVWHm', 'ukAYNZmJgs', 'Wa7YK4bFVT', 'x3dYdE0ABI'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, PAX83uVRoxbuu33iX2.cs	High entropy of concatenated method names: 'H2my6UinGS', 'yTJyU9yh1q', 'vNIy86SV27', 'LKRykfSWsM', 'MhCyBYADqi', 'vjsyDD36U5', 'NBOyhk6G33', 'SFEyYyusCX', 'WqlyfG7Sc6', 'Rk6yH3UXZK'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, MX5baKcQduoLnQSywj2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vClHenUyGC', 'KdLHVVtiwo', 'K8aHxRkgAo', 'TaHH0a4OQL', 'dXyH32Cbv9', 'kwRHAFYBYM', 'pkcHNsDGGr'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, In7BZMgDRbJ4pDwyHe.cs	High entropy of concatenated method names: 'z642WPaFfk', 'wC721spJRE', 'uwcymcn0uO', 'jILygxnXRc', 'Vb5y7mTJNr', 'FOiyXTTL4y', 'Bojyqd7vUK', 'bs4yjdqAV3', 'JG7yPwFuCi', 'EIpyov6NJG'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, hUKFKiDa9vnGoj4IHO.cs	High entropy of concatenated method names: 'L7WpL2Sjkg', 'Vt6pcxLSTR', 'A7npv5wXu2', 'PQTpwXKO5S', 'H9SpBPEwln', 'qQApDwANAD', 'nTVUA4XV7vdQ4JYNam', 'F7lhIDklslo9w4ydvN', 'MRCpp3AII7', 'SGjpCx8mDc'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, lAKyrUYDFF0BNXKK8u.cs	High entropy of concatenated method names: 'fHsIZwds5C', 'hoiIncXLYy', 'XmLI2NTyNA', 'Uj0IL7xqsk', 'jskIcWymSE', 'xF123WpVM3', 'UIP2ALJFkm', 'W0f2N40aIC', 'f3u2KJb0y8', 'vR22dtxQFC'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, rO5HpeSsG7mJALEoTd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ntg5d1hw9Y', 'fIT5rdnW5m', 'bBs5zhoMqE', 'VMRClRceSW', 'R5JCp0KAox', 'ljTC5Bipwi', 'je9CCCJ2Wu', 'l6ZoEDvSQFxVKLWH64a'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, QxAaJdyfkcOUsLDeE2.cs	High entropy of concatenated method names: 'PKOYFLgmSh', 'FiMYOa5pSX', 'LY4Yma1R1m', 'NubYgc6FQ1', 'UUqYeCEnCw', 'jfMY7BLGkq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, al6DtAccKrL4Xnsi1t5.cs	High entropy of concatenated method names: 'ToString', 'PGmHC12sIp', 'RWNHi0Q4ir', 'rwAHZWlHlM', 'FMZHMw6qE7', 'VdjHnAamOD', 'bDkHyg8n2x', 'JI7H2QFn5p', 'lavvOHM1JQKD5EqFaFx', 'wVUVafMDsLAnLJuOCnG'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, b4uOTsniPy7tMYIvRh.cs	High entropy of concatenated method names: 'rQCTEDV4V', 'VMr6iPJum', 'TE5UD3LfQ', 'Uj112kOf4', 'EELkS6mHo', 'geBQmKGwT', 'EY8VogdrKpyBPkc882', 'yVPorZyoguIhDIBPBL', 'pVyYMhrRf', 'IV3HvtbNv'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, Yb2S65W4SnJy6QSjeK.cs	High entropy of concatenated method names: 'DwLhKLfe07', 'EJXhr5H0YV', 'yToYlCojkB', 'Y9bYplcvr1', 'G69hJX3mjk', 'XG3ht0wW82', 'CDJhRq5jGw', 'Xephe8x2WA', 'A6WhVA67oX', 'rkLhxUoNDR'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, FbuB85sRXgHQukwMDs.cs	High entropy of concatenated method names: 'Pu7CZuhybF', 'ptPCMBE3c5', 'Sn1CnpfHcy', 'bZICyuvZgW', 'wslC2RmrrC', 'phoCIOaAmD', 'RMKCLglRjC', 'r3hCc9bcqf', 'BI5CGCkbEU', 'YudCv1vP49'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, YlZ82i7i9TZ0SdYkcJ.cs	High entropy of concatenated method names: 'Dispose', 'XQ5pd6c35Z', 'G3R5OROSor', 'xmjssuJwoV', 'iSipr9qpfv', 'HeFpzpWx0e', 'ProcessDialogKey', 's9t5lCpxPc', 'E785p5F4GK', 'T0q55iLMtp'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, hwWW4hCnmpMqoYbmje.cs	High entropy of concatenated method names: 'z9pYMZULlx', 'GFeYnXwfCD', 'Md8YyRCE6Z', 'seSY2VKEbT', 'Eh2YI5MFYG', 'xUUYLAqXcu', 'hvAYcNxUnY', 'GxQYGAefmh', 'ei2YvWm535', 'C2fYwScOo5'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, Fhn3qXhQZ2H48RDDPl.cs	High entropy of concatenated method names: 'VAILMC6uWX', 'J9MLyqg2Hh', 'I7BLIEb6Jo', 'BsxIrct7Eg', 'oMqIzcUbwV', 'Iy6Lljtul3', 'hqDLpY4gWQ', 'tu6L55EE72', 'pYBLCSX5e5', 'MSmLiI4tV2'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, SijOYSc51G5UnH6HmiJ.cs	High entropy of concatenated method names: 'tCufEVSMbR', 's3vfbQTajS', 'rNafTvEZgM', 'VaTf6EBkDr', 'DJEfW8pfsF', 'SHqfU0v1uE', 'ESgf1BThVT', 'yUyf8uf1IJ', 'ACsfkhmvD2', 'tdrfQSN3eA'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, zgmIucz84CQcRCApdO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zbxfauTMc2', 'JSffBwA6Bm', 'lRmfDVGfHs', 'n1ffhmUg41', 'kAjfYbcf26', 'Q95ffPxqju', 'lSMfHKVasR'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, RJD2yDAA3mME3n9aB8.cs	High entropy of concatenated method names: 'tvyneLMUuW', 'ge7nVaXliv', 'IqhnxI3Cpg', 'EtHn0smVVn', 'XWEn3dTATB', 'KJQnAlBQcb', 'naenNGwcYj', 'PbCnKTbH3k', 'OtxnddDYZr', 'fJwnrvQZgf'
Source: 1.2.e-dekont_html.scr.exe.b590000.22.raw.unpack, slVDVLBqMXcMQu6e1t.cs	High entropy of concatenated method names: 'ToString', 'ElkDJug5Ly', 'AHYDOLNbcW', 'YOyDmcv6wE', 'S1TDggRF6w', 'nNYD7Jyq5a', 'zFADXInaRi', 'jhgDqyKe3o', 'kHiDjTkeoB', 'EykDPumPPW'

Drops PE files

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

File created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 5C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 6C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 5350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 5850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 4E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 6850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 2F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 3130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory allocated: 5130000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7644	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8012	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Window / User API: threadDelayed 3243	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Window / User API: threadDelayed 6577	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Window / User API: threadDelayed 2752
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Window / User API: threadDelayed 7088

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 7644 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 348 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8064	Thread sleep count: 3243 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99635s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99420s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99273s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -99044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8064	Thread sleep count: 6577 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97237s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94847s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94277s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -94057s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -93951s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe TID: 8056	Thread sleep time: -92362s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 8080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 996	Thread sleep count: 2752 > 30
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 996	Thread sleep count: 7088 > 30
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99670s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99561s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99342s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -99086s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98969s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98856s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98120s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97891s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97313s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97195s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -97091s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96976s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96860s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96750s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96516s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96391s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96172s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95813s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95594s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95469s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95359s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95250s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95141s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -95031s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94915s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94797s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94672s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94563s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe TID: 916	Thread sleep time: -94219s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99635	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99420	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99273	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 99044	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97237	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94847	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94719	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94594	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94277	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94172	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 94057	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 93951	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Thread delayed: delay time: 92362	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99670
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99561
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99342
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 99086
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98969
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98856
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98735
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98120
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 98000
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97891
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97766
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97656
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97547
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97438
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97313
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97195
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 97091
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96976
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96860
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96750
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96641
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96516
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96391
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96281
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96172
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95938
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95813
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95703
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95594
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95469
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95359
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95250
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95141
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 95031
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94915
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94797
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94672
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94563
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94438
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94328
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Thread delayed: delay time: 94219

Source: ZRbgEuSJYOgOl.exe, 0000000E.00000002.2608999212.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: e-dekont_html.scr.exe, 00000009.00000002.2610403456.0000000001442000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Memory written: C:\Users\user\Desktop\e-dekont_html.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Memory written: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpA98F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Process created: C:\Users\user\Desktop\e-dekont_html.scr.exe "C:\Users\user\Desktop\e-dekont_html.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRbgEuSJYOgOl" /XML "C:\Users\user\AppData\Local\Temp\tmpD022.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Process created: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe "C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Users\user\Desktop\e-dekont_html.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Users\user\Desktop\e-dekont_html.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.000000000317E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 1532, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 1532, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.651d4a0.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.e-dekont_html.scr.exe.64e2a80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.45c5ec8.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ZRbgEuSJYOgOl.exe.458b4a8.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2608572120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1461386146.00000000064E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552727538.000000000458B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.000000000317E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2612303414.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2612262125.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.scr.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 8016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZRbgEuSJYOgOl.exe PID: 1532, type: MEMORYSTR

ID:	1426827
Product:	CloudBasic
Start time:	17:13:11
Start date:	16.04.2024
Sample:	e-dekont_html.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	abc774f48c2e514bde4ba275a4314b4a
SHA1:	141d5d859afb0340302bd4ee2ca2be9493f39804
SHA256:	fad3e7058eb2fa88ce97e62a6a243748d6736f9c4e21e4112ed61a40813588b2
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZRbgEuSJYOgOl.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e-dekont_html.scr.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	D453258060AFEB6CAD05A86BCB4BA21D	E9E3DC45C2973773AAA422079A5AD945F1C86389	CB241A1BDD284207E8ADD0BB2EEB08DB4B2FF9B86569D7E32FB84A9C9E97D857
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ysamt1j.yvu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ae4fvqsl.nlb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1g3g3kl.qmi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grfc5lp1.pcc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnoqfrvk.jde.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lybng2ex.zfq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_noksldm2.3ba.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrxwncbf.wti.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmpA98F.tmp	XML 1.0 document, ASCII text	9B3840745900AFC9D66DC601D2FB606D	A06AA020E22BDDABC121B43BD341454538CDDDFB	604A00D8E002749B19CC0D0269E6F46EF9BDE9E24CE7C87BFD1CAA788E37277E
C:\Users\user\AppData\Local\Temp\tmpD022.tmp	XML 1.0 document, ASCII text	9B3840745900AFC9D66DC601D2FB606D	A06AA020E22BDDABC121B43BD341454538CDDDFB	604A00D8E002749B19CC0D0269E6F46EF9BDE9E24CE7C87BFD1CAA788E37277E
C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	ABC774F48C2E514BDE4BA275A4314B4A	141D5D859AFB0340302BD4EE2CA2BE9493F39804	FAD3E7058EB2FA88CE97E62A6A243748D6736F9C4E21E4112ED61A40813588B2
C:\Users\user\AppData\Roaming\ZRbgEuSJYOgOl.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
e-dekont_html.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report e-dekont_html.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
e-dekont_html.scr.exe

Malware Threat Intel
Provided by