Windows Analysis Report
DEKONT.exe

Overview

General Information

Sample name: DEKONT.exe
Analysis ID: 1430860
MD5: 384c4da2b75f4c7a1fa5585bc07634e6
SHA1: 27d368536af080b92d543f9c24af8596cc0edd6d
SHA256: 8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34
Tags: exe
Infos:

Detection

PureLog Stealer, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: DEKONT.exe Avira: detected
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "s.reyhani@agmfilter.com", "Password": "sibelr_63017", "Host": "mail.agmfilter.com", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: scratchdreams.tk Virustotal: Detection: 17% Perma Link
Source: https://scratchdreams.tk Virustotal: Detection: 16% Perma Link
Source: http://scratchdreams.tk Virustotal: Detection: 17% Perma Link
Source: https://scratchdreams.tk/_send_.php?TS Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: DEKONT.exe ReversingLabs: Detection: 44%
Source: DEKONT.exe Virustotal: Detection: 47% Perma Link
Machine Learning detection for sample
Source: DEKONT.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: DEKONT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49709 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: DEKONT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: YaaO.pdbSHA256 source: DEKONT.exe
Source: Binary string: YaaO.pdb source: DEKONT.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_05972E10
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_05972E08
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_05972880
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_07AB1C08
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_07AB24A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_07AB24A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_07AB2495
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_07AB2495
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 07ABFA6Ah 0_2_07ABF1EC
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then xor edx, edx 0_2_07AB1FC5
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then xor edx, edx 0_2_07AB1FD0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_07AB1D6C
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_07AB1D6C
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_07AB1D78
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_07AB1D78
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_07AB1BFD
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 02DCF7A1h 3_2_02DCF4E8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02DCEA08
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 02DCFBF9h 3_2_02DCF941
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2DDC1h 3_2_05B2DB18
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B22658h 3_2_05B22586
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B22091h 3_2_05B21DE0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B217D1h 3_2_05B21520
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2F7D1h 3_2_05B2F528
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2C809h 3_2_05B2C560
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2EF21h 3_2_05B2EC78
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B20F11h 3_2_05B20C60
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2E219h 3_2_05B2DF70
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2D969h 3_2_05B2D6C0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2D0B9h 3_2_05B2CE10
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2CC61h 3_2_05B2C9B8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B21C31h 3_2_05B21980
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2FC29h 3_2_05B2F980
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2C3B1h 3_2_05B2C108
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2F379h 3_2_05B2F0D0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B21371h 3_2_05B210C0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2EAC9h 3_2_05B2E820
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2021Dh 3_2_05B20040
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B20BA7h 3_2_05B20040
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2E671h 3_2_05B2E3C8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B2D511h 3_2_05B2D268
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 05B22658h 3_2_05B22240
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE8D95h 3_2_06CE8A58
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE72C9h 3_2_06CE7020
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE6169h 3_2_06CE5EC0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE5D11h 3_2_06CE5A68
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE88A9h 3_2_06CE8600
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE6E71h 3_2_06CE6BC8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_06CE37FB
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE6A19h 3_2_06CE6770
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE65C1h 3_2_06CE6318
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE7BA1h 3_2_06CE78F8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE0B99h 3_2_06CE08F0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE0741h 3_2_06CE0498
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE774Ah 3_2_06CE74A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE02E9h 3_2_06CE0040
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_06CE3808
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE5891h 3_2_06CE55E8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE8451h 3_2_06CE81A8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE1449h 3_2_06CE11A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE0FF1h 3_2_06CE0D48
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 4x nop then jmp 06CE7FF9h 3_2_06CE7D50

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View IP Address: 104.21.27.85 104.21.27.85
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49709 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003163000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000308D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scratchdreams.tk
Source: DEKONT.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36$
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36(
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk
Source: DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.8:49725 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_017FDFE4 0_2_017FDFE4
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_032A12A0 0_2_032A12A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_05976E40 0_2_05976E40
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_05970598 0_2_05970598
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_05970589 0_2_05970589
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_05976E31 0_2_05976E31
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_059A7684 0_2_059A7684
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_059A766D 0_2_059A766D
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_059ABC20 0_2_059ABC20
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB04B8 0_2_07AB04B8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB01A0 0_2_07AB01A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABC7A8 0_2_07ABC7A8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABC7B8 0_2_07ABC7B8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB04A8 0_2_07AB04A8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB0190 0_2_07AB0190
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB1139 0_2_07AB1139
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABB101 0_2_07ABB101
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB1148 0_2_07AB1148
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB3FA1 0_2_07AB3FA1
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB3FB0 0_2_07AB3FB0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB3F50 0_2_07AB3F50
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABACD8 0_2_07ABACD8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB7C38 0_2_07AB7C38
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABCBF0 0_2_07ABCBF0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB2A80 0_2_07AB2A80
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07AB2A6F 0_2_07AB2A6F
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCB388 3_2_02DCB388
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCC1F0 3_2_02DCC1F0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DC6168 3_2_02DC6168
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCC7B2 3_2_02DCC7B2
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCC4D0 3_2_02DCC4D0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCCA92 3_2_02DCCA92
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DC4B31 3_2_02DC4B31
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DC68E0 3_2_02DC68E0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DC98B8 3_2_02DC98B8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCBF10 3_2_02DCBF10
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCBC32 3_2_02DCBC32
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCF4E8 3_2_02DCF4E8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DC35CA 3_2_02DC35CA
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCB552 3_2_02DCB552
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCEA08 3_2_02DCEA08
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCE9F8 3_2_02DCE9F8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DCF941 3_2_02DCF941
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B24490 3_2_05B24490
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B289B0 3_2_05B289B0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B29080 3_2_05B29080
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2DB18 3_2_05B2DB18
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B21DE0 3_2_05B21DE0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B21DD0 3_2_05B21DD0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B21520 3_2_05B21520
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2F528 3_2_05B2F528
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B21510 3_2_05B21510
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2F518 3_2_05B2F518
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2C560 3_2_05B2C560
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2C550 3_2_05B2C550
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B24480 3_2_05B24480
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2EC78 3_2_05B2EC78
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B20C60 3_2_05B20C60
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2EC69 3_2_05B2EC69
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B20C50 3_2_05B20C50
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B27FF8 3_2_05B27FF8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2DF70 3_2_05B2DF70
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2DF60 3_2_05B2DF60
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2D6B0 3_2_05B2D6B0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2D6C0 3_2_05B2D6C0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2CE10 3_2_05B2CE10
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2CE01 3_2_05B2CE01
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2C9B8 3_2_05B2C9B8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2C9A9 3_2_05B2C9A9
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B21980 3_2_05B21980
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2F980 3_2_05B2F980
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2C108 3_2_05B2C108
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2F973 3_2_05B2F973
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B21970 3_2_05B21970
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B210B0 3_2_05B210B0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2C0F7 3_2_05B2C0F7
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2F0D0 3_2_05B2F0D0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B210C0 3_2_05B210C0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2F0C0 3_2_05B2F0C0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2E820 3_2_05B2E820
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2E811 3_2_05B2E811
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B20006 3_2_05B20006
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B28008 3_2_05B28008
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B20040 3_2_05B20040
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2E3BB 3_2_05B2E3BB
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2E3C8 3_2_05B2E3C8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2DB09 3_2_05B2DB09
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2D268 3_2_05B2D268
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2D258 3_2_05B2D258
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEDAC0 3_2_06CEDAC0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEAEA8 3_2_06CEAEA8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE8A58 3_2_06CE8A58
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CECE28 3_2_06CECE28
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEC7D8 3_2_06CEC7D8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEBB38 3_2_06CEBB38
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEB4F0 3_2_06CEB4F0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE90A1 3_2_06CE90A1
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEA858 3_2_06CEA858
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CED478 3_2_06CED478
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE7020 3_2_06CE7020
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE15F8 3_2_06CE15F8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEC188 3_2_06CEC188
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE5EC0 3_2_06CE5EC0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEAE98 3_2_06CEAE98
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEDABB 3_2_06CEDABB
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEDAB7 3_2_06CEDAB7
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE5EB1 3_2_06CE5EB1
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE8A48 3_2_06CE8A48
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE5A58 3_2_06CE5A58
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE5A68 3_2_06CE5A68
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE8600 3_2_06CE8600
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CECE23 3_2_06CECE23
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE6BC8 3_2_06CE6BC8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEC7C9 3_2_06CEC7C9
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE37FB 3_2_06CE37FB
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE3B80 3_2_06CE3B80
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE6BB8 3_2_06CE6BB8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE6760 3_2_06CE6760
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE6770 3_2_06CE6770
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE6308 3_2_06CE6308
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE6318 3_2_06CE6318
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEBB27 3_2_06CEBB27
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE78E7 3_2_06CE78E7
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEB4E0 3_2_06CEB4E0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE08E1 3_2_06CE08E1
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE78F8 3_2_06CE78F8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE08F0 3_2_06CE08F0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE0488 3_2_06CE0488
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE4880 3_2_06CE4880
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE0498 3_2_06CE0498
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE7490 3_2_06CE7490
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE74A0 3_2_06CE74A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEA848 3_2_06CEA848
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE0040 3_2_06CE0040
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE2C68 3_2_06CE2C68
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CED473 3_2_06CED473
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE3808 3_2_06CE3808
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE0006 3_2_06CE0006
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE7010 3_2_06CE7010
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE55D9 3_2_06CE55D9
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE55E8 3_2_06CE55E8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE85F1 3_2_06CE85F1
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE819B 3_2_06CE819B
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE1191 3_2_06CE1191
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE81A8 3_2_06CE81A8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE11A0 3_2_06CE11A0
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE0D48 3_2_06CE0D48
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE7D40 3_2_06CE7D40
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE7D50 3_2_06CE7D50
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEC178 3_2_06CEC178
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE0D38 3_2_06CE0D38
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06D0FA32 3_2_06D0FA32
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06D0BFEC 3_2_06D0BFEC
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06D0DC48 3_2_06D0DC48
Sample file is different than original file name gathered from version info
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1373034560.0000000003210000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1373381739.00000000034E5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000000.1356401634.000000000108C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameYaaO.exeL vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1372333783.000000000161E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DEKONT.exe
Source: DEKONT.exe, 00000003.00000002.3819949173.00000000010F7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DEKONT.exe
Source: DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe Binary or memory string: OriginalFilenameYaaO.exeL vs DEKONT.exe
Uses 32bit PE files
Source: DEKONT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: DEKONT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, -C.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, -C.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs Security API names: _0020.SetAccessControl
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs Security API names: _0020.AddAccessRule
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs Security API names: _0020.SetAccessControl
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs Security API names: _0020.AddAccessRule
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, gBrw0gPbXtcXH18PyW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, gBrw0gPbXtcXH18PyW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.37ddc5c.2.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DEKONT.exe.3439f78.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DEKONT.exe.344a334.6.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DEKONT.exe.5b60000.12.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/3
Source: C:\Users\user\Desktop\DEKONT.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEKONT.exe.log Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Mutant created: NULL
Source: DEKONT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DEKONT.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DEKONT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000003228000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3824813845.0000000004060000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000326E000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003238000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003246000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000327A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: DEKONT.exe ReversingLabs: Detection: 44%
Source: DEKONT.exe Virustotal: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"
Source: C:\Users\user\Desktop\DEKONT.exe Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"
Source: C:\Users\user\Desktop\DEKONT.exe Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe" Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: DEKONT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DEKONT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: DEKONT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: YaaO.pdbSHA256 source: DEKONT.exe
Source: Binary string: YaaO.pdb source: DEKONT.exe

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: DEKONT.exe, frm_Graph_Drawer.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs .Net Code: V0iuXfAkuX System.Reflection.Assembly.Load(byte[])
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs .Net Code: V0iuXfAkuX System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: DEKONT.exe Static PE information: 0x8DFED4A7 [Wed Jun 28 18:40:39 2045 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_017FDD18 push eax; iretd 0_2_017FF3A9
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_017FF3F0 pushfd ; iretd 0_2_017FF3F1
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_059A37D0 push eax; iretd 0_2_059A37D1
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_059ACF50 push eax; mov dword ptr [esp], edx 0_2_059ACF64
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_059A3932 pushfd ; iretd 0_2_059A3939
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_059A38B2 pushad ; iretd 0_2_059A38B9
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABF6DE pushfd ; iretd 0_2_07ABF6DF
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABF5EE pushfd ; iretd 0_2_07ABF5EF
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABF4C7 pushfd ; iretd 0_2_07ABF4C8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABF1AA pushfd ; iretd 0_2_07ABF1AB
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABF132 pushfd ; iretd 0_2_07ABF133
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 0_2_07ABF8F7 pushfd ; iretd 0_2_07ABF8F8
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_02DC9770 push esp; ret 3_2_02DC9771
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE3671 push es; iretd 3_2_06CE367C
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEF75D push es; ret 3_2_06CEF888
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CEF889 push es; ret 3_2_06CEF888
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_06CE9045 push es; ret 3_2_06CE904C
Source: DEKONT.exe Static PE information: section name: .text entropy: 7.894619562911896
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, j7d5IZaVDa8eflLKhe.cs High entropy of concatenated method names: 'Dispose', 'YQbSRd8CIr', 'NBkGmQUEBF', 'l2btt69X0M', 'lpGSjvFYN1', 'T41SzQibdE', 'ProcessDialogKey', 'DHAGT9kF5E', 'xMoGSWPl4N', 'J5RGG0yyrD'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, NrVOQ4zeWdeVemv54c.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sqEy06EkHZ', 'i64yhNOq3b', 'CqJyZL140A', 'Ykuy83HTux', 'NF2y6ok59K', 'tv6yyGLf15', 'H9gyKWXGYY'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, muuaUoYiGSoCDdtP5k.cs High entropy of concatenated method names: 'WiEySSoxDY', 'r3HybsKy6r', 'KMByuWM7mR', 'daQyYEVdcn', 'NPZyVdwErR', 'sikyas3i1e', 'AtUy3Dl89Q', 'xlU6J8bIC6', 'Jga6QmZZ6c', 'Vrq6RCXOQ4'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, yF000nJfGcUm3eXcd6.cs High entropy of concatenated method names: 'LsTSg9qWCk', 'xvKSFUP70r', 'vXJSUjRcoZ', 'uEtS9TwUOF', 'gkqShoV01o', 'yiNSZ0Mj9A', 'gkEcbl9QpfuwCiLQcE', 'JCAj49fxwY6ICSYfRW', 'RYXSSaPVrK', 'NsUSbbFICD'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, YmAf6MkD2jSb9njWmK.cs High entropy of concatenated method names: 'Esd3dvXPia', 'l8j3LRaKLp', 'Wno3XihAPf', 'Pfk3fKsF7l', 'F6u3OADrMx', 'kW23e9nTgp', 'Qqe3Mj18Q6', 'IkJ3oWxDRL', 'rDxX9h4BY6BCoD2uUom', 'NVmtcI4jAGOGIfDqbJA'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, f5NFKofKgfJb7mVTpo.cs High entropy of concatenated method names: 'QB4hAtCDIS', 'TBUhkOP5su', 'i6WhcPjsUr', 'Tg2hnEwqNI', 'vUChmEU4y1', 'OpqhD6IYBw', 'LG7hr5EW6A', 'WFAhi6Is42', 'xd1h5NmDN6', 'c6VhNCRtrY'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, T2wON1nl2AHSS7i3Cd.cs High entropy of concatenated method names: 'vs6aqYDlJe', 'vIEae1JnTG', 'LL2CDM179A', 'PSiCrsb9I1', 'S9jCi1Y0VS', 'QvSC5XKyyU', 'RkmCNB2iQs', 'UGjCxsH1w9', 'cLwCvmB9p1', 'CORCAJRthF'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, e2x0LcsrhHTSFP8f88.cs High entropy of concatenated method names: 'qqu8QNTANw', 'tjS8jDCbGN', 'HLR6TNmS3T', 'PR06S39DBg', 'FhF823uPbT', 'qBE8khOYIe', 'cha8sH9DN2', 'WJq8cLXvwq', 'wsI8nI3iHl', 'SFX845yDgj'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, A0ifTxEhkahsKJcug7.cs High entropy of concatenated method names: 'qov0ILdnPw', 'Eqd0MX1MS3', 'yLc0HR4vPr', 'B9K0mQaHsB', 'uXY0rNBQKy', 'Sw00i1gugn', 'n7t0NoQMtU', 'TDf0xJfVEt', 'TJx0A82xCL', 'tX402bl8NB'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, hgicsSiWJil1ySVfNkc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CGJKcCiosc', 'BxcKnge9VJ', 'rgjK4IDRDk', 'tH3Kp6QFnC', 'GycKWTFqhk', 'FE0KP6U07J', 'moiKJ3XABH'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, gBrw0gPbXtcXH18PyW.cs High entropy of concatenated method names: 'PWHVcgh4Zo', 'rimVnfljhR', 'xNOV4ga8Wx', 'vv6VpOndoN', 'qqAVWKBehY', 'wE9VPhSDcJ', 'rMaVJaJb58', 'qNGVQPJT1b', 'KyBVRqIL8x', 'YZqVjrhrtb'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, Vu7uKBGDy1SRZu1Rwk.cs High entropy of concatenated method names: 'KJS3wNu6nd', 'vHZ3V0if6Y', 'DGP3aovHcZ', 'EAC3gmZJU5', 'R6p3FIvIBa', 'w2HaW6O5LH', 'NXPaPqDd8s', 'L6EaJAIPF4', 'WJdaQBrDvJ', 'XEZaRU4F80'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, dZi2dj2hRfNN8h8ksu.cs High entropy of concatenated method names: 'ToString', 'rDLZ2npVs2', 'fuNZmmn1P9', 'DOQZDAglPg', 'wqpZrqQ7wH', 'mhvZiaEdXb', 'HlxZ5bTTva', 'MDuZNy0fHq', 'jovZxqtMGH', 'iZ4ZvWVp7j'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, KXbphEuMQhqJVEQoHN.cs High entropy of concatenated method names: 'fTCXV8POU', 'YOsf4DMSK', 'zKPOQTjUT', 'vUGe7Yu1f', 's8SMVdvbn', 'ECPoxvOp1', 'wJ0l7PP7mgVKm7pksU', 'LONHPEUi8265Ew4qbO', 'aSx6QGAIn', 'M9xKlMe4m'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, lGaBmFeZoKPSkJP2Yp.cs High entropy of concatenated method names: 'vc5CfD3IXy', 'ASLCOnWPQI', 'L2yCIvLsAb', 'To3CMUXlDp', 'BLMChjwWcj', 'JVxCZHJC3O', 'ut0C81SnUE', 'x28C69df3j', 'UdyCyyAOmi', 'S4dCKHEocf'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, Ywj4IaidrNmP8uv9vDJ.cs High entropy of concatenated method names: 'Id5yLlpHWO', 'gy4yB3XQ69', 'FSwyX5YUs8', 'FL8yfTf6iA', 'SIxyqarAE2', 'rlZyOpucCs', 'xtFyeCEA0d', 'WoQyIEeMQj', 'BoOyMx7XYH', 'j92yo63jMS'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, B4811WBL5mqt3ICmNd.cs High entropy of concatenated method names: 'Be6gYa1Mry', 'RNhgCCPmnl', 'MT3g3r93XP', 'DFi3jou71e', 'mIk3z8TjwO', 'ujdgTSmMtM', 'KYhgSq3AZk', 'XNQgGWHuTJ', 'HS8gbK7J3w', 'G0mguGLxOI'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, rLmnNArP7PMRCd7lnZ.cs High entropy of concatenated method names: 'Evl6Y0Whxr', 'qgR6VsEdAm', 're76CWwgB0', 'bZC6aM43Io', 'TSg63UMjKx', 'Ivm6gFNOlM', 'byg6FFB0R0', 'UcN6EaaGCV', 'V4w6UCt7Lk', 'jX169cVtTZ'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs High entropy of concatenated method names: 'PxCbwXdJr5', 'D9IbYynKIL', 'l9GbVZSH7o', 'eCLbCFOomy', 'asDbaHLltO', 'GVQb33uaOD', 'HLlbgrTb6P', 'jK2bFQIlLq', 'kCHbEtCv2i', 'YhVbUAoxDl'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, FBG5j0iuYmUu2hs3rvO.cs High entropy of concatenated method names: 'BVSKL8JT5Y', 'VgxKB6mUN7', 'E12KXgaD9m', 'NWbo4MZp6D7eQuKkqtp', 'u4O1ncZ40P2AaXDrFJl', 'rNIAsvZDs2OwHN49hTb', 'kYjD05ZAi6Jpt0QPqwG'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, BFLjVfUFsTVdK6vfYh.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UBPGRQcean', 'Gh7Gj844bg', 'OZ3GzDf4N5', 'ENBbTqRG9y', 'EvRbSr2yTm', 'tq1bGYGv8l', 'T5ybb6hZCk', 'wmqQ5DplEUp2txgLK2P'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, F210rv93PN13RwKJgt.cs High entropy of concatenated method names: 'V51345goeB', 'zfv3pHKBAx', 'jlj3WjfsrN', 'ToString', 'jVt3PTFlX2', 'shK3Jh18kc', 'EBgIAr4FQW6NbudKLPc', 'WknDC34Eysm7R6M5wJZ'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, Lx9sgrycVNWcPtH7Mh.cs High entropy of concatenated method names: 'FZQgL2dWTg', 'OZdgBlfbmG', 'iGlgXJAjYy', 'bWhgfsRR8y', 'ey2gqCsvj9', 'wfigO0Ts0Q', 'm0ogeuk6h3', 'BbTgIYsToM', 'yENgMOilNQ', 'xKagoHKFjt'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, AdfsfmCabcv5q7JqiV.cs High entropy of concatenated method names: 'o2H8UTwoUn', 'jtJ89ykxL2', 'ToString', 'b9K8YeR9y5', 'bPX8VfyOgm', 'f228CuIvTQ', 'U3F8aQkjAE', 'A9s83iQBbF', 'MHA8gKCxxM', 'By88FKKrHU'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, tlZ78fq5Zw1LILhJLc.cs High entropy of concatenated method names: 'AAn6HO6HkR', 'Gjt6mhAy5U', 'qOx6DlTZMU', 'eHy6rtgrOM', 'Pba6cWLU3G', 'OJD6i0hRbv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, j7d5IZaVDa8eflLKhe.cs High entropy of concatenated method names: 'Dispose', 'YQbSRd8CIr', 'NBkGmQUEBF', 'l2btt69X0M', 'lpGSjvFYN1', 'T41SzQibdE', 'ProcessDialogKey', 'DHAGT9kF5E', 'xMoGSWPl4N', 'J5RGG0yyrD'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, NrVOQ4zeWdeVemv54c.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sqEy06EkHZ', 'i64yhNOq3b', 'CqJyZL140A', 'Ykuy83HTux', 'NF2y6ok59K', 'tv6yyGLf15', 'H9gyKWXGYY'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, muuaUoYiGSoCDdtP5k.cs High entropy of concatenated method names: 'WiEySSoxDY', 'r3HybsKy6r', 'KMByuWM7mR', 'daQyYEVdcn', 'NPZyVdwErR', 'sikyas3i1e', 'AtUy3Dl89Q', 'xlU6J8bIC6', 'Jga6QmZZ6c', 'Vrq6RCXOQ4'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, yF000nJfGcUm3eXcd6.cs High entropy of concatenated method names: 'LsTSg9qWCk', 'xvKSFUP70r', 'vXJSUjRcoZ', 'uEtS9TwUOF', 'gkqShoV01o', 'yiNSZ0Mj9A', 'gkEcbl9QpfuwCiLQcE', 'JCAj49fxwY6ICSYfRW', 'RYXSSaPVrK', 'NsUSbbFICD'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, YmAf6MkD2jSb9njWmK.cs High entropy of concatenated method names: 'Esd3dvXPia', 'l8j3LRaKLp', 'Wno3XihAPf', 'Pfk3fKsF7l', 'F6u3OADrMx', 'kW23e9nTgp', 'Qqe3Mj18Q6', 'IkJ3oWxDRL', 'rDxX9h4BY6BCoD2uUom', 'NVmtcI4jAGOGIfDqbJA'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, f5NFKofKgfJb7mVTpo.cs High entropy of concatenated method names: 'QB4hAtCDIS', 'TBUhkOP5su', 'i6WhcPjsUr', 'Tg2hnEwqNI', 'vUChmEU4y1', 'OpqhD6IYBw', 'LG7hr5EW6A', 'WFAhi6Is42', 'xd1h5NmDN6', 'c6VhNCRtrY'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, T2wON1nl2AHSS7i3Cd.cs High entropy of concatenated method names: 'vs6aqYDlJe', 'vIEae1JnTG', 'LL2CDM179A', 'PSiCrsb9I1', 'S9jCi1Y0VS', 'QvSC5XKyyU', 'RkmCNB2iQs', 'UGjCxsH1w9', 'cLwCvmB9p1', 'CORCAJRthF'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, e2x0LcsrhHTSFP8f88.cs High entropy of concatenated method names: 'qqu8QNTANw', 'tjS8jDCbGN', 'HLR6TNmS3T', 'PR06S39DBg', 'FhF823uPbT', 'qBE8khOYIe', 'cha8sH9DN2', 'WJq8cLXvwq', 'wsI8nI3iHl', 'SFX845yDgj'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, A0ifTxEhkahsKJcug7.cs High entropy of concatenated method names: 'qov0ILdnPw', 'Eqd0MX1MS3', 'yLc0HR4vPr', 'B9K0mQaHsB', 'uXY0rNBQKy', 'Sw00i1gugn', 'n7t0NoQMtU', 'TDf0xJfVEt', 'TJx0A82xCL', 'tX402bl8NB'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, hgicsSiWJil1ySVfNkc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CGJKcCiosc', 'BxcKnge9VJ', 'rgjK4IDRDk', 'tH3Kp6QFnC', 'GycKWTFqhk', 'FE0KP6U07J', 'moiKJ3XABH'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, gBrw0gPbXtcXH18PyW.cs High entropy of concatenated method names: 'PWHVcgh4Zo', 'rimVnfljhR', 'xNOV4ga8Wx', 'vv6VpOndoN', 'qqAVWKBehY', 'wE9VPhSDcJ', 'rMaVJaJb58', 'qNGVQPJT1b', 'KyBVRqIL8x', 'YZqVjrhrtb'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, Vu7uKBGDy1SRZu1Rwk.cs High entropy of concatenated method names: 'KJS3wNu6nd', 'vHZ3V0if6Y', 'DGP3aovHcZ', 'EAC3gmZJU5', 'R6p3FIvIBa', 'w2HaW6O5LH', 'NXPaPqDd8s', 'L6EaJAIPF4', 'WJdaQBrDvJ', 'XEZaRU4F80'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, dZi2dj2hRfNN8h8ksu.cs High entropy of concatenated method names: 'ToString', 'rDLZ2npVs2', 'fuNZmmn1P9', 'DOQZDAglPg', 'wqpZrqQ7wH', 'mhvZiaEdXb', 'HlxZ5bTTva', 'MDuZNy0fHq', 'jovZxqtMGH', 'iZ4ZvWVp7j'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, KXbphEuMQhqJVEQoHN.cs High entropy of concatenated method names: 'fTCXV8POU', 'YOsf4DMSK', 'zKPOQTjUT', 'vUGe7Yu1f', 's8SMVdvbn', 'ECPoxvOp1', 'wJ0l7PP7mgVKm7pksU', 'LONHPEUi8265Ew4qbO', 'aSx6QGAIn', 'M9xKlMe4m'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, lGaBmFeZoKPSkJP2Yp.cs High entropy of concatenated method names: 'vc5CfD3IXy', 'ASLCOnWPQI', 'L2yCIvLsAb', 'To3CMUXlDp', 'BLMChjwWcj', 'JVxCZHJC3O', 'ut0C81SnUE', 'x28C69df3j', 'UdyCyyAOmi', 'S4dCKHEocf'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, Ywj4IaidrNmP8uv9vDJ.cs High entropy of concatenated method names: 'Id5yLlpHWO', 'gy4yB3XQ69', 'FSwyX5YUs8', 'FL8yfTf6iA', 'SIxyqarAE2', 'rlZyOpucCs', 'xtFyeCEA0d', 'WoQyIEeMQj', 'BoOyMx7XYH', 'j92yo63jMS'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, B4811WBL5mqt3ICmNd.cs High entropy of concatenated method names: 'Be6gYa1Mry', 'RNhgCCPmnl', 'MT3g3r93XP', 'DFi3jou71e', 'mIk3z8TjwO', 'ujdgTSmMtM', 'KYhgSq3AZk', 'XNQgGWHuTJ', 'HS8gbK7J3w', 'G0mguGLxOI'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, rLmnNArP7PMRCd7lnZ.cs High entropy of concatenated method names: 'Evl6Y0Whxr', 'qgR6VsEdAm', 're76CWwgB0', 'bZC6aM43Io', 'TSg63UMjKx', 'Ivm6gFNOlM', 'byg6FFB0R0', 'UcN6EaaGCV', 'V4w6UCt7Lk', 'jX169cVtTZ'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs High entropy of concatenated method names: 'PxCbwXdJr5', 'D9IbYynKIL', 'l9GbVZSH7o', 'eCLbCFOomy', 'asDbaHLltO', 'GVQb33uaOD', 'HLlbgrTb6P', 'jK2bFQIlLq', 'kCHbEtCv2i', 'YhVbUAoxDl'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, FBG5j0iuYmUu2hs3rvO.cs High entropy of concatenated method names: 'BVSKL8JT5Y', 'VgxKB6mUN7', 'E12KXgaD9m', 'NWbo4MZp6D7eQuKkqtp', 'u4O1ncZ40P2AaXDrFJl', 'rNIAsvZDs2OwHN49hTb', 'kYjD05ZAi6Jpt0QPqwG'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, BFLjVfUFsTVdK6vfYh.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UBPGRQcean', 'Gh7Gj844bg', 'OZ3GzDf4N5', 'ENBbTqRG9y', 'EvRbSr2yTm', 'tq1bGYGv8l', 'T5ybb6hZCk', 'wmqQ5DplEUp2txgLK2P'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, F210rv93PN13RwKJgt.cs High entropy of concatenated method names: 'V51345goeB', 'zfv3pHKBAx', 'jlj3WjfsrN', 'ToString', 'jVt3PTFlX2', 'shK3Jh18kc', 'EBgIAr4FQW6NbudKLPc', 'WknDC34Eysm7R6M5wJZ'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, Lx9sgrycVNWcPtH7Mh.cs High entropy of concatenated method names: 'FZQgL2dWTg', 'OZdgBlfbmG', 'iGlgXJAjYy', 'bWhgfsRR8y', 'ey2gqCsvj9', 'wfigO0Ts0Q', 'm0ogeuk6h3', 'BbTgIYsToM', 'yENgMOilNQ', 'xKagoHKFjt'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, AdfsfmCabcv5q7JqiV.cs High entropy of concatenated method names: 'o2H8UTwoUn', 'jtJ89ykxL2', 'ToString', 'b9K8YeR9y5', 'bPX8VfyOgm', 'f228CuIvTQ', 'U3F8aQkjAE', 'A9s83iQBbF', 'MHA8gKCxxM', 'By88FKKrHU'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, tlZ78fq5Zw1LILhJLc.cs High entropy of concatenated method names: 'AAn6HO6HkR', 'Gjt6mhAy5U', 'qOx6DlTZMU', 'eHy6rtgrOM', 'Pba6cWLU3G', 'OJD6i0hRbv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, vpednoN8EZgsJ4TDwx.cs High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, vpednoN8EZgsJ4TDwx.cs High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 17F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 3400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 3210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 8140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 9140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 92F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: A2F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: A880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: B880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: C880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 2D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 2FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: 2D20000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597438 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594235 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DEKONT.exe Window / User API: threadDelayed 2109 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Window / User API: threadDelayed 7718 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7404 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -36893488147419080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7692 Thread sleep count: 2109 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7692 Thread sleep count: 7718 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -598093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -597063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -596110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597438 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Thread delayed: delay time: 594235 Jump to behavior
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000000.00000002.1373034560.0000000003210000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: bWhgfsRR8y
Source: DEKONT.exe, 00000003.00000002.3819986025.0000000001156000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll50a3
Source: C:\Users\user\Desktop\DEKONT.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DEKONT.exe Code function: 3_2_05B2BE28 LdrInitializeThunk, 3_2_05B2BE28
Enables debug privileges
Source: C:\Users\user\Desktop\DEKONT.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DEKONT.exe Memory written: C:\Users\user\Desktop\DEKONT.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DEKONT.exe Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Users\user\Desktop\DEKONT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Users\user\Desktop\DEKONT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.DEKONT.exe.4409970.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4409970.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1378528073.0000000005B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1375703382.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\DEKONT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\DEKONT.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.DEKONT.exe.4409970.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4409970.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1378528073.0000000005B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1375703382.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430860 Sample: DEKONT.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 14 checkip.dyndns.org 2->14 16 scratchdreams.tk 2->16 18 2 other IPs or domains 2->18 26 Multi AV Scanner detection for domain / URL 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 10 other signatures 2->32 7 DEKONT.exe 3 2->7         started        signatures3 process4 signatures5 34 Injects a PE file into a foreign processes 7->34 10 DEKONT.exe 15 2 7->10         started        process6 dnsIp7 20 checkip.dyndns.com 193.122.6.168, 49707, 49712, 49715 ORACLE-BMC-31898US United States 10->20 22 scratchdreams.tk 104.21.27.85, 443, 49725 CLOUDFLARENETUS United States 10->22 24 reallyfreegeoip.org 104.21.67.152, 443, 49709, 49710 CLOUDFLARENETUS United States 10->24 36 Tries to steal Mail credentials (via file / registry access) 10->36 38 Tries to harvest and steal browser information (history, passwords, etc) 10->38 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.67.152
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
104.21.27.85
 scratchdreams.tk United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.67.152 true
scratchdreams.tk 104.21.27.85 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/154.16.105.36 false
  • Avira URL Cloud: safe
 unknown
https://scratchdreams.tk/_send_.php?TS false
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown