Windows Analysis Report
e-dekont.exe

Overview

General Information

Sample name: e-dekont.exe
Analysis ID: 1430774
MD5: ff53d6a04ea8618890f7a81e31bd8a22
SHA1: d804959bcb8a2ea43278a1f78aac8abede4fa62f
SHA256: 5f8e6d5fd79a5a648e42597881ddf5e418be34a81b678b9742fad39d6b74c298
Tags: exegeoTUR
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "s.reyhani@agmfilter.com", "Password": "sibelr_63017", "Host": "mail.agmfilter.com", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: scratchdreams.tk Virustotal: Detection: 17% Perma Link
Source: https://scratchdreams.tk Virustotal: Detection: 16% Perma Link
Source: https://scratchdreams.tk/_send_.php?TS Virustotal: Detection: 14% Perma Link
Source: http://scratchdreams.tk Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for submitted file
Source: e-dekont.exe ReversingLabs: Detection: 60%
Source: e-dekont.exe Virustotal: Detection: 61% Perma Link
Machine Learning detection for sample
Source: e-dekont.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: e-dekont.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: e-dekont.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wGVE.pdbSHA256S source: e-dekont.exe
Source: Binary string: wGVE.pdb source: e-dekont.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_02DCF21B
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_02DCF03B
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 02DCF7A1h 2_2_02DCF4E8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_02DCEA08
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 02DCFBF9h 2_2_02DCF941
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B42658h 2_2_05B42586
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B42091h 2_2_05B41DE0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B417D1h 2_2_05B41520
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4F7D1h 2_2_05B4F528
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4C809h 2_2_05B4C560
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4EF21h 2_2_05B4EC78
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B40F11h 2_2_05B40C60
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4E219h 2_2_05B4DF70
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4D969h 2_2_05B4D6C0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4D0B9h 2_2_05B4CE10
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4CC61h 2_2_05B4C9B8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B41C31h 2_2_05B41980
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4FC29h 2_2_05B4F980
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4C3B1h 2_2_05B4C108
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4F379h 2_2_05B4F0D0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B41371h 2_2_05B410C0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4EAC9h 2_2_05B4E820
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4021Dh 2_2_05B40040
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B40BA7h 2_2_05B40040
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4E671h 2_2_05B4E3C8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4DDC1h 2_2_05B4DB18
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B4D511h 2_2_05B4D268
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 05B42658h 2_2_05B42240
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C08D95h 2_2_06C08A58
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C0774Ah 2_2_06C074A0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C06169h 2_2_06C05EC0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C05D11h 2_2_06C05A68
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C088A9h 2_2_06C08600
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C06E71h 2_2_06C06BC8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_06C037FA
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C06A19h 2_2_06C06770
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C065C1h 2_2_06C06318
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C00B99h 2_2_06C008F0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C07BA1h 2_2_06C078F8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C00741h 2_2_06C00498
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C002E9h 2_2_06C00040
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_06C03808
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C072C9h 2_2_06C07020
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C05891h 2_2_06C055E8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C01449h 2_2_06C011A0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C08451h 2_2_06C081A8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C00FF1h 2_2_06C00D48
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 4x nop then jmp 06C07FF9h 2_2_06C07D50

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003124000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003116000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003150000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003124000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003116000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003150000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003068000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003056000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: e-dekont.exe, 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003124000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003116000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003150000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003081000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scratchdreams.tk
Source: e-dekont.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000000.00000002.1664762334.00000000054D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: e-dekont.exe, 00000000.00000002.1664799082.0000000006C42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003124000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003116000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003150000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: e-dekont.exe, 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003124000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003116000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003150000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36$
Source: e-dekont.exe, 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: e-dekont.exe PID: 7424, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: e-dekont.exe PID: 7424, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.e-dekont.exe.2b052b4.1.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Source: 0.2.e-dekont.exe.73b0000.12.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Detected potential crypto function
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_0295DA4C 0_2_0295DA4C
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_05066880 0_2_05066880
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_05060120 0_2_05060120
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_05060130 0_2_05060130
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_05066870 0_2_05066870
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F7F50 0_2_073F7F50
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F7C48 0_2_073F7C48
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F3BF0 0_2_073F3BF0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F4AB0 0_2_073F4AB0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F2910 0_2_073F2910
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F3650 0_2_073F3650
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073FC4CC 0_2_073FC4CC
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073FC310 0_2_073FC310
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073FC301 0_2_073FC301
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073FA200 0_2_073FA200
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F318A 0_2_073F318A
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073FA1F0 0_2_073FA1F0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073FA1C9 0_2_073FA1C9
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F6E00 0_2_073F6E00
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F8EE0 0_2_073F8EE0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F8ED0 0_2_073F8ED0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F1DF0 0_2_073F1DF0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F7C38 0_2_073F7C38
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F2BE1 0_2_073F2BE1
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F6BC8 0_2_073F6BC8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F59A0 0_2_073F59A0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F5990 0_2_073F5990
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F49C1 0_2_073F49C1
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F6848 0_2_073F6848
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F2889 0_2_073F2889
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_07619180 0_2_07619180
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_07610040 0_2_07610040
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_07614D18 0_2_07614D18
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_076155F0 0_2_076155F0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_07612CA8 0_2_07612CA8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_0761001E 0_2_0761001E
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_076148E0 0_2_076148E0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_076130D0 0_2_076130D0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCB388 2_2_02DCB388
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCC1F0 2_2_02DCC1F0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DC6168 2_2_02DC6168
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DC6790 2_2_02DC6790
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCC7B1 2_2_02DCC7B1
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCC4D0 2_2_02DCC4D0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCCA91 2_2_02DCCA91
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DC4B31 2_2_02DC4B31
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DC98B8 2_2_02DC98B8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCBF10 2_2_02DCBF10
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCBC32 2_2_02DCBC32
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCF4E8 2_2_02DCF4E8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DC35C8 2_2_02DC35C8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCB552 2_2_02DCB552
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCEA08 2_2_02DCEA08
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCE9F8 2_2_02DCE9F8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DCF941 2_2_02DCF941
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B44490 2_2_05B44490
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B489B0 2_2_05B489B0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B49080 2_2_05B49080
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B41DE0 2_2_05B41DE0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B41DD0 2_2_05B41DD0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B41520 2_2_05B41520
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4F528 2_2_05B4F528
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B41510 2_2_05B41510
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4F518 2_2_05B4F518
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4C560 2_2_05B4C560
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4C550 2_2_05B4C550
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B44486 2_2_05B44486
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4EC78 2_2_05B4EC78
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B40C60 2_2_05B40C60
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4EC69 2_2_05B4EC69
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B40C50 2_2_05B40C50
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4DF70 2_2_05B4DF70
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4DF60 2_2_05B4DF60
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4D6B0 2_2_05B4D6B0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4D6C0 2_2_05B4D6C0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4CE10 2_2_05B4CE10
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4CE01 2_2_05B4CE01
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4C9B8 2_2_05B4C9B8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4C9A9 2_2_05B4C9A9
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B41980 2_2_05B41980
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4F980 2_2_05B4F980
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4C108 2_2_05B4C108
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B41970 2_2_05B41970
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4F971 2_2_05B4F971
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B410B0 2_2_05B410B0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4C0F7 2_2_05B4C0F7
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4F0D0 2_2_05B4F0D0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B410C0 2_2_05B410C0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4F0C0 2_2_05B4F0C0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4E820 2_2_05B4E820
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B40011 2_2_05B40011
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4E811 2_2_05B4E811
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B48008 2_2_05B48008
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B40040 2_2_05B40040
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4E3B9 2_2_05B4E3B9
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4E3C8 2_2_05B4E3C8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4DB18 2_2_05B4DB18
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4DB09 2_2_05B4DB09
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4D268 2_2_05B4D268
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4D258 2_2_05B4D258
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0DAC0 2_2_06C0DAC0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0AEA8 2_2_06C0AEA8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C08A58 2_2_06C08A58
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0CE28 2_2_06C0CE28
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0C7D8 2_2_06C0C7D8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0BB38 2_2_06C0BB38
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0B4F0 2_2_06C0B4F0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C09091 2_2_06C09091
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C074A0 2_2_06C074A0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0A858 2_2_06C0A858
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0D478 2_2_06C0D478
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C015F8 2_2_06C015F8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0C188 2_2_06C0C188
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C05EC0 2_2_06C05EC0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0AE98 2_2_06C0AE98
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0DAAF 2_2_06C0DAAF
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C05EB0 2_2_06C05EB0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C08A48 2_2_06C08A48
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C05A58 2_2_06C05A58
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C05A68 2_2_06C05A68
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C08600 2_2_06C08600
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0CE18 2_2_06C0CE18
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C06BC8 2_2_06C06BC8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0C7C9 2_2_06C0C7C9
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C037FA 2_2_06C037FA
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C03B80 2_2_06C03B80
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C06BB8 2_2_06C06BB8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C06760 2_2_06C06760
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C06770 2_2_06C06770
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C06308 2_2_06C06308
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C06318 2_2_06C06318
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0BB27 2_2_06C0BB27
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0B4E0 2_2_06C0B4E0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C008E1 2_2_06C008E1
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C078E7 2_2_06C078E7
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C008F0 2_2_06C008F0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C078F8 2_2_06C078F8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C04880 2_2_06C04880
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C00488 2_2_06C00488
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C07490 2_2_06C07490
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C00498 2_2_06C00498
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C00040 2_2_06C00040
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0A848 2_2_06C0A848
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C02C68 2_2_06C02C68
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0D468 2_2_06C0D468
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C00007 2_2_06C00007
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C03808 2_2_06C03808
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C07010 2_2_06C07010
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C07020 2_2_06C07020
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C055D9 2_2_06C055D9
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C055E8 2_2_06C055E8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C085F1 2_2_06C085F1
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C01191 2_2_06C01191
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0819A 2_2_06C0819A
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C011A0 2_2_06C011A0
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C081A8 2_2_06C081A8
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C07D40 2_2_06C07D40
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C00D48 2_2_06C00D48
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C07D50 2_2_06C07D50
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0C178 2_2_06C0C178
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C00D38 2_2_06C00D38
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C2043C 2_2_06C2043C
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C23570 2_2_06C23570
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C2BFEC 2_2_06C2BFEC
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C2DC48 2_2_06C2DC48
Sample file is different than original file name gathered from version info
Source: e-dekont.exe, 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs e-dekont.exe
Source: e-dekont.exe, 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs e-dekont.exe
Source: e-dekont.exe, 00000000.00000002.1666058439.00000000073B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs e-dekont.exe
Source: e-dekont.exe, 00000000.00000000.1635678271.000000000078E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewGVE.exeB vs e-dekont.exe
Source: e-dekont.exe, 00000000.00000002.1660508075.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs e-dekont.exe
Source: e-dekont.exe, 00000000.00000002.1660508075.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs e-dekont.exe
Source: e-dekont.exe, 00000000.00000002.1663643804.0000000004AE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs e-dekont.exe
Source: e-dekont.exe, 00000000.00000002.1659851365.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs e-dekont.exe
Source: e-dekont.exe, 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs e-dekont.exe
Source: e-dekont.exe, 00000002.00000002.4086498385.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs e-dekont.exe
Source: e-dekont.exe Binary or memory string: OriginalFilenamewGVE.exeB vs e-dekont.exe
Uses 32bit PE files
Source: e-dekont.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: e-dekont.exe PID: 7424, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: e-dekont.exe PID: 7424, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: e-dekont.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, -C.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont.exe.4720090.8.raw.unpack, -C.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, dTtXywlp86sra2ZdK5.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, dTtXywlp86sra2ZdK5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, dTtXywlp86sra2ZdK5.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, dTtXywlp86sra2ZdK5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: _0020.SetAccessControl
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: _0020.AddAccessRule
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: _0020.SetAccessControl
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: _0020.AddAccessRule
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, dTtXywlp86sra2ZdK5.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, dTtXywlp86sra2ZdK5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: _0020.SetAccessControl
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sZO3HFIRxWuEpruDfq.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/3
Source: C:\Users\user\Desktop\e-dekont.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e-dekont.exe.log Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Mutant created: NULL
Source: e-dekont.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: e-dekont.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\e-dekont.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: e-dekont.exe, 00000002.00000002.4088425866.0000000003216000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.0000000003207000.00000004.00000800.00020000.00000000.sdmp, e-dekont.exe, 00000002.00000002.4088425866.00000000031F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: e-dekont.exe ReversingLabs: Detection: 60%
Source: e-dekont.exe Virustotal: Detection: 61%
Source: C:\Users\user\Desktop\e-dekont.exe File read: C:\Users\user\Desktop\e-dekont.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\e-dekont.exe "C:\Users\user\Desktop\e-dekont.exe"
Source: C:\Users\user\Desktop\e-dekont.exe Process created: C:\Users\user\Desktop\e-dekont.exe "C:\Users\user\Desktop\e-dekont.exe"
Source: C:\Users\user\Desktop\e-dekont.exe Process created: C:\Users\user\Desktop\e-dekont.exe "C:\Users\user\Desktop\e-dekont.exe" Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: e-dekont.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: e-dekont.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: e-dekont.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wGVE.pdbSHA256S source: e-dekont.exe
Source: Binary string: wGVE.pdb source: e-dekont.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: e-dekont.exe, Form1.cs .Net Code: InitializeComponent
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sZO3HFIRxWuEpruDfq.cs .Net Code: DV8ePiLWbw System.Reflection.Assembly.Load(byte[])
Source: 0.2.e-dekont.exe.2b052b4.1.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sZO3HFIRxWuEpruDfq.cs .Net Code: DV8ePiLWbw System.Reflection.Assembly.Load(byte[])
Source: 0.2.e-dekont.exe.73b0000.12.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sZO3HFIRxWuEpruDfq.cs .Net Code: DV8ePiLWbw System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: e-dekont.exe Static PE information: 0xFFD1EFAD [Sun Jan 3 07:54:21 2106 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_0295E460 pushfd ; retf 0_2_0295E461
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F4507 pushad ; retf 0_2_073F4508
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 0_2_073F44FD pushad ; retf 0_2_073F44FE
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_02DC9770 push esp; ret 2_2_02DC9771
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0359F push es; iretd 2_2_06C0367C
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C03621 push es; iretd 2_2_06C0367C
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C09045 push es; ret 2_2_06C0904C
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_06C0359F push es; iretd 2_2_06C0367C
Source: e-dekont.exe Static PE information: section name: .text entropy: 7.955212716673103
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, GFmq6jeWw2VPHLdjXQ.cs High entropy of concatenated method names: 'PRL0M0SX9U', 'NuD0Ca4lgp', 'S3u0pLnMDB', 'hp20DsVE5H', 'hOB03rn42v', 'ffj04xGQTX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, SBhr37Eba3HGHsc4GS.cs High entropy of concatenated method names: 'FrsFiYwdUH', 'CgEFJFbBj6', 'v1G0TuhbKD', 'IFn0StgSqy', 'prAFZkVctd', 'gQbFxw7Btq', 'pkuFByijjg', 'rc3F3v6M8i', 'MvNFcZrPNx', 'zniF1Nn5Us'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, SokUCaY3uiJOKtiAys2.cs High entropy of concatenated method names: 'eDWjUoqhn4', 'nFyjsbI1r5', 'HiojPcDeCw', 'eW2jEELp8N', 'gx5jtvIBvd', 'IxjjngxuBg', 'o0KjfiX5ye', 'RFijAgOQES', 'vRajq8Fcec', 'cOYjQf5x9T'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, YSg4KxWDvO5g0WLFjV.cs High entropy of concatenated method names: 'cweYEQc6ed', 'HjDYnXUG6F', 'fMMYAaLRY6', 'AdFYqZUW1F', 'RN3Y2a2CwI', 'QjkYgWVBDN', 'PNvYF7Qi9l', 'TmfY08ys7p', 'wXtYjouk3Z', 'fE9Yr18YDF'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, K0BC4Ea55hp7C27VHS.cs High entropy of concatenated method names: 'TQKNo1LuXs', 'kQtNUhxOUD', 'KI1NPFiESx', 'OyqNETO8S4', 'npmNn4TV2v', 'mYCNfHbjhD', 'Q7uNqoAhdw', 'SfrNQKxNU3', 'UrfqPBZeGWxXjrgcSRs', 'UQ5KDuZq40ZgwfJdeiB'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, gKGHQrtfF8pAIlCF7W.cs High entropy of concatenated method names: 'ay4jSBJLtc', 'QehjbSroLC', 'lCAje9gyo9', 'DGYjKLWkry', 'K7sjWu06va', 'nD8j6wAQ9Y', 'OBljNvBXQk', 'GcG0H2dZd6', 'G1o0igXqop', 'RZf0aqYqL4'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, mg7ueT58ImXGqb211X.cs High entropy of concatenated method names: 'N4IFONfuOj', 'D91FkosvTG', 'ToString', 'NDYFKb8j0E', 'gA0FWa4Sf0', 'HcjFYjbqZK', 'PmWF6MVbbI', 'uiQFNbM75v', 'xGwFh4tYNp', 'DoGFugXCgZ'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, LIgXRi1giEMrRmxvTU.cs High entropy of concatenated method names: 'BAX2my8DYJ', 'PAu2xNOBiy', 'oHf23v0pYJ', 'G6V2ckQNRu', 'jtc2CcDpVO', 'z0N2pacRBT', 'dvQ2DmDIIE', 'c1124pxbyn', 'AGX29ygSkw', 'WEM2lE8isd'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, eNAIGeMhT6QTnJZQ2c.cs High entropy of concatenated method names: 'S5bPtZHrU', 'Xu4E0Z48e', 'oPfnqwjRY', 'D9qfdNRD9', 'RyZqD81iX', 'x1CQbZpV3', 'cwDIZU5gTwhp5CqvsF', 'LwFq4PIDUU5RVsWInQ', 'FmO0Qc1iG', 'SXsr21pK9'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, CY9iQ9UQIfrGylb4q6.cs High entropy of concatenated method names: 'vpWhK7orJA', 'dvrhY5ZOms', 'MebhN8rPCo', 'yt1NJsdvTr', 'qovNzBxmLh', 'GiKhTD63Sb', 'YkohSFYS9F', 'FHJhGlO2cB', 'towhb2BRAP', 'eEbheCq6ha'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, mleEQrRUKsxHalQgKV.cs High entropy of concatenated method names: 'sR2hUjkjuY', 'CI7hswiGpZ', 'udihPInVh4', 'u1MhEAlS8C', 'RCchtH9qYP', 'YgGhnIoph7', 'G0Ghf5q8jx', 'pAAhAk5lSV', 'RZFhq2f2o4', 'fVchQpnF2G'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sZO3HFIRxWuEpruDfq.cs High entropy of concatenated method names: 'hXybwoSpjL', 'wwLbKT9WiK', 'A66bWtOqX8', 'Gi9bYQAxOl', 'YQJb61AoqN', 'RmNbNdJuAm', 'h6AbhK2Ief', 'kQHbuDpAmO', 'NnmbLym8SI', 'gh6bO74BP5'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, dTtXywlp86sra2ZdK5.cs High entropy of concatenated method names: 'YfvW3Nv924', 'k5HWcdw4bv', 'UjCW1lP4XK', 'XX4WyG6Vc1', 'BLNW59pmUg', 'R5aWdX9baC', 'FNqWH3Yeyj', 'qTsWikWrAt', 'Ix9WaKtdJK', 'yVoWJxDpV8'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, vCntCIAQv8LQSynJxw.cs High entropy of concatenated method names: 'b8tNwgwHEK', 'lKlNWSxC3u', 'aFsN6K63RU', 'I4gNhheH02', 'CONNuBxD25', 'sfI652WpJf', 'q6a6dcQdbc', 'NYA6HrqfEI', 'CG96i8YQBS', 'eRV6aL0xFc'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sIoks92u7sGwTcwfTc.cs High entropy of concatenated method names: 'Dispose', 'PUwSaYWp5V', 'uy7GC2ZiSR', 'KU977WqTaB', 'gvQSJ5BSZb', 'ra0SzybWl7', 'ProcessDialogKey', 'Er8GTL9Oe5', 'lqtGSfZrZc', 'RkVGGBEoHK'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, o9fI1yvIhFCGn4Lj8I.cs High entropy of concatenated method names: 'enFShZH9cB', 'ff0SuUUkHH', 'Ae2SOkAwoN', 'vQWSkKm5Ay', 'XfcS2KAMMc', 'nVeSg1ZQfL', 'iLaCOt7LcTlUfSLaac', 'Mhx1tcyPEOXdEtyN5n', 'AOPoATGyn5Dr9cLuQ5', 'pI3SSHISBU'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sbP0BMFZWXXPlLosyI.cs High entropy of concatenated method names: 'DpLVAQa1xh', 'aiyVqdWXLN', 'qpQVMYLlQp', 'N39VCYn3OK', 'q3kVD4HA5h', 'DyeV4BscSc', 'Wn4VlZc1bS', 'kNHVvxfJfo', 'oNSVm6vDpK', 'fnvVZcAeYl'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, knCdjVGr83uL8hhtgn.cs High entropy of concatenated method names: 'WXw0K1hMX7', 'alD0WekIPk', 'etV0YUMVTL', 'Thw06l0ppY', 'bSU0Nr1UdS', 'xNJ0h3Yk9G', 'rFu0uNj1WT', 'AUD0L9p0sn', 'jQX0OiuP6m', 'PVA0kfpP3C'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, EP2N8kZihyVdcM1idG.cs High entropy of concatenated method names: 'YR5N1GnYKI', 'LxxNybEF8e', 'RNON5OPUi1', 'ToString', 'cIlNdolAZ6', 'RcKNH7G8bx', 'BywWSQZI3G7SFrmadrb', 'usOr7lZ9hQ2J7wMoraq', 'c8A6MhZU2edj2bXVebJ'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, iJAQ07YkZftAiMs5moQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yrnr3CSHWV', 'XnUrcHUgFo', 'OyVr17lhjB', 'AfUryghEWy', 'RaXr5Y9XA3', 'O1urds94Gx', 'YQjrHK7qmG'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, sW8unUTVCmAe5wJ2kF.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ax2GarCKHH', 'sMcGJpgUx7', 'AIWGzj3W4M', 'BYbbT69Si4', 'Dj5bS11gX1', 'ykhbGOpRYb', 'YsSbbh072T', 'P1f8RgOu7Vv5tcGXTlT'
Source: 0.2.e-dekont.exe.4ae0000.11.raw.unpack, KWjDk4zb0JGixMxZ7j.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a3TjVatgX3', 'f2oj2h02U9', 'zHTjgcjwR9', 'D6kjFPJYem', 'Vanj0B7qac', 'GQdjjYvP3s', 'HEyjrIHOVT'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, GFmq6jeWw2VPHLdjXQ.cs High entropy of concatenated method names: 'PRL0M0SX9U', 'NuD0Ca4lgp', 'S3u0pLnMDB', 'hp20DsVE5H', 'hOB03rn42v', 'ffj04xGQTX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, SBhr37Eba3HGHsc4GS.cs High entropy of concatenated method names: 'FrsFiYwdUH', 'CgEFJFbBj6', 'v1G0TuhbKD', 'IFn0StgSqy', 'prAFZkVctd', 'gQbFxw7Btq', 'pkuFByijjg', 'rc3F3v6M8i', 'MvNFcZrPNx', 'zniF1Nn5Us'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, SokUCaY3uiJOKtiAys2.cs High entropy of concatenated method names: 'eDWjUoqhn4', 'nFyjsbI1r5', 'HiojPcDeCw', 'eW2jEELp8N', 'gx5jtvIBvd', 'IxjjngxuBg', 'o0KjfiX5ye', 'RFijAgOQES', 'vRajq8Fcec', 'cOYjQf5x9T'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, YSg4KxWDvO5g0WLFjV.cs High entropy of concatenated method names: 'cweYEQc6ed', 'HjDYnXUG6F', 'fMMYAaLRY6', 'AdFYqZUW1F', 'RN3Y2a2CwI', 'QjkYgWVBDN', 'PNvYF7Qi9l', 'TmfY08ys7p', 'wXtYjouk3Z', 'fE9Yr18YDF'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, K0BC4Ea55hp7C27VHS.cs High entropy of concatenated method names: 'TQKNo1LuXs', 'kQtNUhxOUD', 'KI1NPFiESx', 'OyqNETO8S4', 'npmNn4TV2v', 'mYCNfHbjhD', 'Q7uNqoAhdw', 'SfrNQKxNU3', 'UrfqPBZeGWxXjrgcSRs', 'UQ5KDuZq40ZgwfJdeiB'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, gKGHQrtfF8pAIlCF7W.cs High entropy of concatenated method names: 'ay4jSBJLtc', 'QehjbSroLC', 'lCAje9gyo9', 'DGYjKLWkry', 'K7sjWu06va', 'nD8j6wAQ9Y', 'OBljNvBXQk', 'GcG0H2dZd6', 'G1o0igXqop', 'RZf0aqYqL4'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, mg7ueT58ImXGqb211X.cs High entropy of concatenated method names: 'N4IFONfuOj', 'D91FkosvTG', 'ToString', 'NDYFKb8j0E', 'gA0FWa4Sf0', 'HcjFYjbqZK', 'PmWF6MVbbI', 'uiQFNbM75v', 'xGwFh4tYNp', 'DoGFugXCgZ'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, LIgXRi1giEMrRmxvTU.cs High entropy of concatenated method names: 'BAX2my8DYJ', 'PAu2xNOBiy', 'oHf23v0pYJ', 'G6V2ckQNRu', 'jtc2CcDpVO', 'z0N2pacRBT', 'dvQ2DmDIIE', 'c1124pxbyn', 'AGX29ygSkw', 'WEM2lE8isd'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, eNAIGeMhT6QTnJZQ2c.cs High entropy of concatenated method names: 'S5bPtZHrU', 'Xu4E0Z48e', 'oPfnqwjRY', 'D9qfdNRD9', 'RyZqD81iX', 'x1CQbZpV3', 'cwDIZU5gTwhp5CqvsF', 'LwFq4PIDUU5RVsWInQ', 'FmO0Qc1iG', 'SXsr21pK9'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, CY9iQ9UQIfrGylb4q6.cs High entropy of concatenated method names: 'vpWhK7orJA', 'dvrhY5ZOms', 'MebhN8rPCo', 'yt1NJsdvTr', 'qovNzBxmLh', 'GiKhTD63Sb', 'YkohSFYS9F', 'FHJhGlO2cB', 'towhb2BRAP', 'eEbheCq6ha'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, mleEQrRUKsxHalQgKV.cs High entropy of concatenated method names: 'sR2hUjkjuY', 'CI7hswiGpZ', 'udihPInVh4', 'u1MhEAlS8C', 'RCchtH9qYP', 'YgGhnIoph7', 'G0Ghf5q8jx', 'pAAhAk5lSV', 'RZFhq2f2o4', 'fVchQpnF2G'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sZO3HFIRxWuEpruDfq.cs High entropy of concatenated method names: 'hXybwoSpjL', 'wwLbKT9WiK', 'A66bWtOqX8', 'Gi9bYQAxOl', 'YQJb61AoqN', 'RmNbNdJuAm', 'h6AbhK2Ief', 'kQHbuDpAmO', 'NnmbLym8SI', 'gh6bO74BP5'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, dTtXywlp86sra2ZdK5.cs High entropy of concatenated method names: 'YfvW3Nv924', 'k5HWcdw4bv', 'UjCW1lP4XK', 'XX4WyG6Vc1', 'BLNW59pmUg', 'R5aWdX9baC', 'FNqWH3Yeyj', 'qTsWikWrAt', 'Ix9WaKtdJK', 'yVoWJxDpV8'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, vCntCIAQv8LQSynJxw.cs High entropy of concatenated method names: 'b8tNwgwHEK', 'lKlNWSxC3u', 'aFsN6K63RU', 'I4gNhheH02', 'CONNuBxD25', 'sfI652WpJf', 'q6a6dcQdbc', 'NYA6HrqfEI', 'CG96i8YQBS', 'eRV6aL0xFc'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sIoks92u7sGwTcwfTc.cs High entropy of concatenated method names: 'Dispose', 'PUwSaYWp5V', 'uy7GC2ZiSR', 'KU977WqTaB', 'gvQSJ5BSZb', 'ra0SzybWl7', 'ProcessDialogKey', 'Er8GTL9Oe5', 'lqtGSfZrZc', 'RkVGGBEoHK'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, o9fI1yvIhFCGn4Lj8I.cs High entropy of concatenated method names: 'enFShZH9cB', 'ff0SuUUkHH', 'Ae2SOkAwoN', 'vQWSkKm5Ay', 'XfcS2KAMMc', 'nVeSg1ZQfL', 'iLaCOt7LcTlUfSLaac', 'Mhx1tcyPEOXdEtyN5n', 'AOPoATGyn5Dr9cLuQ5', 'pI3SSHISBU'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sbP0BMFZWXXPlLosyI.cs High entropy of concatenated method names: 'DpLVAQa1xh', 'aiyVqdWXLN', 'qpQVMYLlQp', 'N39VCYn3OK', 'q3kVD4HA5h', 'DyeV4BscSc', 'Wn4VlZc1bS', 'kNHVvxfJfo', 'oNSVm6vDpK', 'fnvVZcAeYl'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, knCdjVGr83uL8hhtgn.cs High entropy of concatenated method names: 'WXw0K1hMX7', 'alD0WekIPk', 'etV0YUMVTL', 'Thw06l0ppY', 'bSU0Nr1UdS', 'xNJ0h3Yk9G', 'rFu0uNj1WT', 'AUD0L9p0sn', 'jQX0OiuP6m', 'PVA0kfpP3C'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, EP2N8kZihyVdcM1idG.cs High entropy of concatenated method names: 'YR5N1GnYKI', 'LxxNybEF8e', 'RNON5OPUi1', 'ToString', 'cIlNdolAZ6', 'RcKNH7G8bx', 'BywWSQZI3G7SFrmadrb', 'usOr7lZ9hQ2J7wMoraq', 'c8A6MhZU2edj2bXVebJ'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, iJAQ07YkZftAiMs5moQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yrnr3CSHWV', 'XnUrcHUgFo', 'OyVr17lhjB', 'AfUryghEWy', 'RaXr5Y9XA3', 'O1urds94Gx', 'YQjrHK7qmG'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, sW8unUTVCmAe5wJ2kF.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ax2GarCKHH', 'sMcGJpgUx7', 'AIWGzj3W4M', 'BYbbT69Si4', 'Dj5bS11gX1', 'ykhbGOpRYb', 'YsSbbh072T', 'P1f8RgOu7Vv5tcGXTlT'
Source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, KWjDk4zb0JGixMxZ7j.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a3TjVatgX3', 'f2oj2h02U9', 'zHTjgcjwR9', 'D6kjFPJYem', 'Vanj0B7qac', 'GQdjjYvP3s', 'HEyjrIHOVT'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, GFmq6jeWw2VPHLdjXQ.cs High entropy of concatenated method names: 'PRL0M0SX9U', 'NuD0Ca4lgp', 'S3u0pLnMDB', 'hp20DsVE5H', 'hOB03rn42v', 'ffj04xGQTX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, SBhr37Eba3HGHsc4GS.cs High entropy of concatenated method names: 'FrsFiYwdUH', 'CgEFJFbBj6', 'v1G0TuhbKD', 'IFn0StgSqy', 'prAFZkVctd', 'gQbFxw7Btq', 'pkuFByijjg', 'rc3F3v6M8i', 'MvNFcZrPNx', 'zniF1Nn5Us'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, SokUCaY3uiJOKtiAys2.cs High entropy of concatenated method names: 'eDWjUoqhn4', 'nFyjsbI1r5', 'HiojPcDeCw', 'eW2jEELp8N', 'gx5jtvIBvd', 'IxjjngxuBg', 'o0KjfiX5ye', 'RFijAgOQES', 'vRajq8Fcec', 'cOYjQf5x9T'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, YSg4KxWDvO5g0WLFjV.cs High entropy of concatenated method names: 'cweYEQc6ed', 'HjDYnXUG6F', 'fMMYAaLRY6', 'AdFYqZUW1F', 'RN3Y2a2CwI', 'QjkYgWVBDN', 'PNvYF7Qi9l', 'TmfY08ys7p', 'wXtYjouk3Z', 'fE9Yr18YDF'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, K0BC4Ea55hp7C27VHS.cs High entropy of concatenated method names: 'TQKNo1LuXs', 'kQtNUhxOUD', 'KI1NPFiESx', 'OyqNETO8S4', 'npmNn4TV2v', 'mYCNfHbjhD', 'Q7uNqoAhdw', 'SfrNQKxNU3', 'UrfqPBZeGWxXjrgcSRs', 'UQ5KDuZq40ZgwfJdeiB'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, gKGHQrtfF8pAIlCF7W.cs High entropy of concatenated method names: 'ay4jSBJLtc', 'QehjbSroLC', 'lCAje9gyo9', 'DGYjKLWkry', 'K7sjWu06va', 'nD8j6wAQ9Y', 'OBljNvBXQk', 'GcG0H2dZd6', 'G1o0igXqop', 'RZf0aqYqL4'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, mg7ueT58ImXGqb211X.cs High entropy of concatenated method names: 'N4IFONfuOj', 'D91FkosvTG', 'ToString', 'NDYFKb8j0E', 'gA0FWa4Sf0', 'HcjFYjbqZK', 'PmWF6MVbbI', 'uiQFNbM75v', 'xGwFh4tYNp', 'DoGFugXCgZ'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, LIgXRi1giEMrRmxvTU.cs High entropy of concatenated method names: 'BAX2my8DYJ', 'PAu2xNOBiy', 'oHf23v0pYJ', 'G6V2ckQNRu', 'jtc2CcDpVO', 'z0N2pacRBT', 'dvQ2DmDIIE', 'c1124pxbyn', 'AGX29ygSkw', 'WEM2lE8isd'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, eNAIGeMhT6QTnJZQ2c.cs High entropy of concatenated method names: 'S5bPtZHrU', 'Xu4E0Z48e', 'oPfnqwjRY', 'D9qfdNRD9', 'RyZqD81iX', 'x1CQbZpV3', 'cwDIZU5gTwhp5CqvsF', 'LwFq4PIDUU5RVsWInQ', 'FmO0Qc1iG', 'SXsr21pK9'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, CY9iQ9UQIfrGylb4q6.cs High entropy of concatenated method names: 'vpWhK7orJA', 'dvrhY5ZOms', 'MebhN8rPCo', 'yt1NJsdvTr', 'qovNzBxmLh', 'GiKhTD63Sb', 'YkohSFYS9F', 'FHJhGlO2cB', 'towhb2BRAP', 'eEbheCq6ha'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, mleEQrRUKsxHalQgKV.cs High entropy of concatenated method names: 'sR2hUjkjuY', 'CI7hswiGpZ', 'udihPInVh4', 'u1MhEAlS8C', 'RCchtH9qYP', 'YgGhnIoph7', 'G0Ghf5q8jx', 'pAAhAk5lSV', 'RZFhq2f2o4', 'fVchQpnF2G'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sZO3HFIRxWuEpruDfq.cs High entropy of concatenated method names: 'hXybwoSpjL', 'wwLbKT9WiK', 'A66bWtOqX8', 'Gi9bYQAxOl', 'YQJb61AoqN', 'RmNbNdJuAm', 'h6AbhK2Ief', 'kQHbuDpAmO', 'NnmbLym8SI', 'gh6bO74BP5'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, dTtXywlp86sra2ZdK5.cs High entropy of concatenated method names: 'YfvW3Nv924', 'k5HWcdw4bv', 'UjCW1lP4XK', 'XX4WyG6Vc1', 'BLNW59pmUg', 'R5aWdX9baC', 'FNqWH3Yeyj', 'qTsWikWrAt', 'Ix9WaKtdJK', 'yVoWJxDpV8'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, vCntCIAQv8LQSynJxw.cs High entropy of concatenated method names: 'b8tNwgwHEK', 'lKlNWSxC3u', 'aFsN6K63RU', 'I4gNhheH02', 'CONNuBxD25', 'sfI652WpJf', 'q6a6dcQdbc', 'NYA6HrqfEI', 'CG96i8YQBS', 'eRV6aL0xFc'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sIoks92u7sGwTcwfTc.cs High entropy of concatenated method names: 'Dispose', 'PUwSaYWp5V', 'uy7GC2ZiSR', 'KU977WqTaB', 'gvQSJ5BSZb', 'ra0SzybWl7', 'ProcessDialogKey', 'Er8GTL9Oe5', 'lqtGSfZrZc', 'RkVGGBEoHK'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, o9fI1yvIhFCGn4Lj8I.cs High entropy of concatenated method names: 'enFShZH9cB', 'ff0SuUUkHH', 'Ae2SOkAwoN', 'vQWSkKm5Ay', 'XfcS2KAMMc', 'nVeSg1ZQfL', 'iLaCOt7LcTlUfSLaac', 'Mhx1tcyPEOXdEtyN5n', 'AOPoATGyn5Dr9cLuQ5', 'pI3SSHISBU'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sbP0BMFZWXXPlLosyI.cs High entropy of concatenated method names: 'DpLVAQa1xh', 'aiyVqdWXLN', 'qpQVMYLlQp', 'N39VCYn3OK', 'q3kVD4HA5h', 'DyeV4BscSc', 'Wn4VlZc1bS', 'kNHVvxfJfo', 'oNSVm6vDpK', 'fnvVZcAeYl'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, knCdjVGr83uL8hhtgn.cs High entropy of concatenated method names: 'WXw0K1hMX7', 'alD0WekIPk', 'etV0YUMVTL', 'Thw06l0ppY', 'bSU0Nr1UdS', 'xNJ0h3Yk9G', 'rFu0uNj1WT', 'AUD0L9p0sn', 'jQX0OiuP6m', 'PVA0kfpP3C'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, EP2N8kZihyVdcM1idG.cs High entropy of concatenated method names: 'YR5N1GnYKI', 'LxxNybEF8e', 'RNON5OPUi1', 'ToString', 'cIlNdolAZ6', 'RcKNH7G8bx', 'BywWSQZI3G7SFrmadrb', 'usOr7lZ9hQ2J7wMoraq', 'c8A6MhZU2edj2bXVebJ'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, iJAQ07YkZftAiMs5moQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yrnr3CSHWV', 'XnUrcHUgFo', 'OyVr17lhjB', 'AfUryghEWy', 'RaXr5Y9XA3', 'O1urds94Gx', 'YQjrHK7qmG'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, sW8unUTVCmAe5wJ2kF.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ax2GarCKHH', 'sMcGJpgUx7', 'AIWGzj3W4M', 'BYbbT69Si4', 'Dj5bS11gX1', 'ykhbGOpRYb', 'YsSbbh072T', 'P1f8RgOu7Vv5tcGXTlT'
Source: 0.2.e-dekont.exe.465b050.9.raw.unpack, KWjDk4zb0JGixMxZ7j.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a3TjVatgX3', 'f2oj2h02U9', 'zHTjgcjwR9', 'D6kjFPJYem', 'Vanj0B7qac', 'GQdjjYvP3s', 'HEyjrIHOVT'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\e-dekont.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 2910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 2AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 4AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 8960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 9960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 9B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: AB60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: AF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: BF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: CF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 2D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 2FA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: 4FA0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599543 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597446 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596766 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594500 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\e-dekont.exe Window / User API: threadDelayed 1400 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Window / User API: threadDelayed 8446 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7508 Thread sleep count: 1400 > 30 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7508 Thread sleep count: 8446 > 30 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599543s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599202s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -599094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -598000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597446s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -597094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -596078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -594609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe TID: 7504 Thread sleep time: -594500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599543 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597446 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596766 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Thread delayed: delay time: 594500 Jump to behavior
Source: e-dekont.exe, 00000002.00000002.4086663197.00000000011AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\e-dekont.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\e-dekont.exe Code function: 2_2_05B4BE28 LdrInitializeThunk, 2_2_05B4BE28
Enables debug privileges
Source: C:\Users\user\Desktop\e-dekont.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\e-dekont.exe Memory written: C:\Users\user\Desktop\e-dekont.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\e-dekont.exe Process created: C:\Users\user\Desktop\e-dekont.exe "C:\Users\user\Desktop\e-dekont.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Users\user\Desktop\e-dekont.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Users\user\Desktop\e-dekont.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4088425866.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e-dekont.exe PID: 7424, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\e-dekont.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\e-dekont.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\e-dekont.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e-dekont.exe PID: 7424, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.e-dekont.exe.4720090.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.e-dekont.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.4720090.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.46bd870.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.e-dekont.exe.465b050.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4088425866.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4086321706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4088425866.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1662409618.00000000044BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e-dekont.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e-dekont.exe PID: 7424, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430774 Sample: e-dekont.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 14 checkip.dyndns.org 2->14 16 scratchdreams.tk 2->16 18 2 other IPs or domains 2->18 26 Multi AV Scanner detection for domain / URL 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 8 other signatures 2->32 7 e-dekont.exe 3 2->7         started        signatures3 process4 signatures5 34 Injects a PE file into a foreign processes 7->34 10 e-dekont.exe 15 2 7->10         started        process6 dnsIp7 20 checkip.dyndns.com 158.101.44.242, 49732, 49737, 49740 ORACLE-BMC-31898US United States 10->20 22 scratchdreams.tk 104.21.27.85, 443, 49750 CLOUDFLARENETUS United States 10->22 24 reallyfreegeoip.org 104.21.67.152, 443, 49734, 49735 CLOUDFLARENETUS United States 10->24 36 Tries to steal Mail credentials (via file / registry access) 10->36 38 Tries to harvest and steal browser information (history, passwords, etc) 10->38 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.67.152
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
104.21.27.85
 scratchdreams.tk United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.67.152 true
scratchdreams.tk 104.21.27.85 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/154.16.105.36 false
  • Avira URL Cloud: safe
 unknown
https://scratchdreams.tk/_send_.php?TS false
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown