Windows Analysis Report
DEKONT.exe

Overview

General Information

Sample name:	DEKONT.exe
Analysis ID:	1434016
MD5:	c766a45151c2a9b0879095062dc566fe
SHA1:	c9587ac978a75933670dd94c3766e635afeed2e8
SHA256:	d46066c4c4bd510c11a5d4ee6e23ff0e2fdb7d5d716aceb9671caa3e679800b1
Tags:	exegeoTUR
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.4533476899.0000000002811000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@eraslangroup.net", "Password": "aHZAyjDK", "Host": "mail.eraslangroup.net", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for submitted file

Source: DEKONT.exe	ReversingLabs: Detection: 60%
Source: DEKONT.exe	Virustotal: Detection: 63%			Perma Link

Machine Learning detection for sample

Source: DEKONT.exe

Joe Sandbox ML: detected

Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en

HTTP Parser: No favicon

Uses 32bit PE files

Source: DEKONT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49744 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49762 version: TLS 1.2

Source: DEKONT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WCKm.pdbSHA256i source: DEKONT.exe
Source:	Binary string: WCKm.pdb source: DEKONT.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 07489F97h	0_2_0748A076
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A40F11h	3_2_00A40C60
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4021Dh	3_2_00A40040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A40BA7h	3_2_00A40040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A42091h	3_2_00A41DE0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4D969h	3_2_00A4D6C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A42658h	3_2_00A42240
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A41371h	3_2_00A410C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4F379h	3_2_00A4F0D0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4EAC9h	3_2_00A4E820
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4EF21h	3_2_00A4EC78
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4CC61h	3_2_00A4C9B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A42658h	3_2_00A42586
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4FC29h	3_2_00A4F980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A41C31h	3_2_00A41980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A417D1h	3_2_00A41520
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4F7D1h	3_2_00A4F528
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4C3B1h	3_2_00A4C108
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4C809h	3_2_00A4C560
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A42658h	3_2_00A4223B
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4D0B9h	3_2_00A4CE10
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4D511h	3_2_00A4D268
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4E671h	3_2_00A4E3C8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4DDC1h	3_2_00A4DB18
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A4E219h	3_2_00A4DF70
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A58D95h	3_2_00A58A58
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A56E71h	3_2_00A56BC8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A5774Ah	3_2_00A574A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A50741h	3_2_00A50498
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A50B99h	3_2_00A508F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A57BA1h	3_2_00A578F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A572C9h	3_2_00A57020
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_00A53800
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_00A53808
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A502E9h	3_2_00A50040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A51449h	3_2_00A511A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A58451h	3_2_00A581A8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A55891h	3_2_00A555E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A50FF1h	3_2_00A50D48
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A57FF9h	3_2_00A57D50
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A56169h	3_2_00A55EC0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A588A9h	3_2_00A58600
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A55D11h	3_2_00A55A68
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_00A53B1E
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A565C1h	3_2_00A56318
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00A56A19h	3_2_00A56770
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00DAF7A1h	3_2_00DAF4E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then jmp 00DAFBF9h	3_2_00DAF941
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_00DAEA08

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 172.67.169.18 172.67.169.18
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49744 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.241.18
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157

Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQiQys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEI3L3NAQiQys0BCLnKzQEI6dLNAQjo1c0BCMvWzQEIqNjNAQj5wNQVGLrSzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BC9MUCnVktG364a&MD=Uf4OaXNr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.182.8 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BC9MUCnVktG364a&MD=Uf4OaXNr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlKHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=N-xjjYnpCh4mWhLSwjGFoxB19Kcui5XTCgWik9DtR6c91VY2vRMtIXVM1S2a0e8pFg9KglwhSibOtP54sh6z7ax94dYPAoyulIodtCNXrb5qS35mpRmcUk-yCAZ3rLtlSdiop2SxQbOFa7yDZsSla9Ld1BfCbnJLCt_3O_nBsXI
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: scratchdreams.tk
Source: global traffic	DNS traffic detected: DNS query: ogs.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900C4F3X-BM-CBT: 1696488253X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 1D6F504B5A5A465DBDB84F31C63A581DX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900C4F3X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshldspcl40,msbdsborgv2co,msbwdsbi920cf,optfsth3,premsbdsbchtupcf,wsbfixcachec,wsbqfasmsall_c,wsbqfminiserp_c,wsbref-cX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 516Connection: Keep-AliveCache-Control: no-cacheCookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; _SS=SID=1D9FAF807E686D422B86BC217FC66C71&CPID=1696488253968&AC=1&CPH=071f2185; _EDGE_S=SID=1D9FAF807E686D422B86BC217FC66C71; MUIDB=81C61E09498D41CC97CDBBA354824ED1

Source: DEKONT.exe, 00000003.00000002.4533476899.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000296F000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000298B000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002962000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: DEKONT.exe, 00000003.00000002.4533476899.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000296F000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000298B000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002912000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002962000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002998000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: DEKONT.exe, 00000003.00000002.4533476899.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: DEKONT.exe, 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: DEKONT.exe, 00000003.00000002.4533476899.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000296F000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000298B000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002962000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: DEKONT.exe, 00000003.00000002.4533476899.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: chromecache_63.6.dr	String found in binary or memory: http://www.broofa.com
Source: chromecache_76.6.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_76.6.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_63.6.dr, chromecache_76.6.dr	String found in binary or memory: https://apis.google.com
Source: chromecache_68.6.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_76.6.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_76.6.dr	String found in binary or memory: https://content.googleapis.com
Source: chromecache_76.6.dr	String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_76.6.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_63.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_79.6.dr	String found in binary or memory: https://ogs.google.com/
Source: chromecache_79.6.dr	String found in binary or memory: https://ogs.google.com/widget/app/so
Source: chromecache_70.6.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_76.6.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_76.6.dr	String found in binary or memory: https://plus.googleapis.com
Source: DEKONT.exe, 00000003.00000002.4533476899.000000000296F000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000298B000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002912000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002962000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: DEKONT.exe, 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: DEKONT.exe, 00000003.00000002.4533476899.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.182.8
Source: DEKONT.exe, 00000003.00000002.4533476899.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000296F000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000298B000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002912000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002962000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.000000000297D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.182.8$
Source: DEKONT.exe, 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.0000000002811000.00000004.00000800.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: DEKONT.exe, 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: chromecache_79.6.dr	String found in binary or memory: https://ssl.gstatic.com
Source: chromecache_68.6.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_76.6.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_68.6.dr	String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_76.6.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_76.6.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_79.6.dr	String found in binary or memory: https://www.gstatic.com
Source: chromecache_79.6.dr	String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.kIS1Dzh9gxA.
Source: chromecache_63.6.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_63.6.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_63.6.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.159.127.243:443 -> 192.168.2.6:49762 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: DEKONT.exe PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DEKONT.exe PID: 1708, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: DEKONT.exe PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DEKONT.exe PID: 7100, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.DEKONT.exe.5c50000.10.raw.unpack, .cs	Large array initialization: : array initializer size 33957
Source: 0.2.DEKONT.exe.3117c0c.3.raw.unpack, .cs	Large array initialization: : array initializer size 33957

Detected potential crypto function

Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_013DDCD4	0_2_013DDCD4
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05640040	0_2_05640040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_0564001A	0_2_0564001A
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05CA2409	0_2_05CA2409
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05CA2418	0_2_05CA2418
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05CA2791	0_2_05CA2791
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05CA27A0	0_2_05CA27A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05CAF108	0_2_05CAF108
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05CAD018	0_2_05CAD018
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07482E28	0_2_07482E28
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_0748BE38	0_2_0748BE38
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_074885E8	0_2_074885E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07486318	0_2_07486318
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07488018	0_2_07488018
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07482E18	0_2_07482E18
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07485EE0	0_2_07485EE0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_07485AA8	0_2_07485AA8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_05CA9160	0_2_05CA9160
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A49080	3_2_00A49080
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A44490	3_2_00A44490
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A40C60	3_2_00A40C60
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A40040	3_2_00A40040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A489B0	3_2_00A489B0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A41DE0	3_2_00A41DE0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4D6C0	3_2_00A4D6C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A410B0	3_2_00A410B0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A44480	3_2_00A44480
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4C0F7	3_2_00A4C0F7
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A410C0	3_2_00A410C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4F0C0	3_2_00A4F0C0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4F0D0	3_2_00A4F0D0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4E820	3_2_00A4E820
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A48008	3_2_00A48008
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A40011	3_2_00A40011
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4E811	3_2_00A4E811
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4EC69	3_2_00A4EC69
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4906B	3_2_00A4906B
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4EC78	3_2_00A4EC78
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A40C50	3_2_00A40C50
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4C9A9	3_2_00A4C9A9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4C9B8	3_2_00A4C9B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4F980	3_2_00A4F980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A41980	3_2_00A41980
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A41DD0	3_2_00A41DD0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A41520	3_2_00A41520
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4F528	3_2_00A4F528
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4C108	3_2_00A4C108
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A41510	3_2_00A41510
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4F518	3_2_00A4F518
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4C560	3_2_00A4C560
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4F975	3_2_00A4F975
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A41970	3_2_00A41970
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4C550	3_2_00A4C550
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4D6B0	3_2_00A4D6B0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4CE01	3_2_00A4CE01
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4CE10	3_2_00A4CE10
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4D268	3_2_00A4D268
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4D258	3_2_00A4D258
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4E3BC	3_2_00A4E3BC
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A47FF8	3_2_00A47FF8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4E3C8	3_2_00A4E3C8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4DB09	3_2_00A4DB09
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4DB18	3_2_00A4DB18
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4DF60	3_2_00A4DF60
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A4DF70	3_2_00A4DF70
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A590A1	3_2_00A590A1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5B4F0	3_2_00A5B4F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5D478	3_2_00A5D478
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5A858	3_2_00A5A858
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5C188	3_2_00A5C188
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A515F8	3_2_00A515F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5AEA8	3_2_00A5AEA8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5DAC0	3_2_00A5DAC0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5CE28	3_2_00A5CE28
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A58A58	3_2_00A58A58
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A56BC8	3_2_00A56BC8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5C7D8	3_2_00A5C7D8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5BB38	3_2_00A5BB38
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A574A0	3_2_00A574A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A54880	3_2_00A54880
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A50488	3_2_00A50488
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A57490	3_2_00A57490
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A50498	3_2_00A50498
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A578E7	3_2_00A578E7
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A508E1	3_2_00A508E1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5B4E0	3_2_00A5B4E0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A508F0	3_2_00A508F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A578F8	3_2_00A578F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A57020	3_2_00A57020
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A53800	3_2_00A53800
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A53808	3_2_00A53808
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A50015	3_2_00A50015
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A57010	3_2_00A57010
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5D473	3_2_00A5D473
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A50040	3_2_00A50040
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5A848	3_2_00A5A848
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A52C57	3_2_00A52C57
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A511A0	3_2_00A511A0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A581A8	3_2_00A581A8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A51191	3_2_00A51191
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5819B	3_2_00A5819B
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A555E8	3_2_00A555E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A585F1	3_2_00A585F1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A555D9	3_2_00A555D9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A50D38	3_2_00A50D38
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A52D00	3_2_00A52D00
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5C178	3_2_00A5C178
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A57D40	3_2_00A57D40
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A50D48	3_2_00A50D48
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A57D50	3_2_00A57D50
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5DAB7	3_2_00A5DAB7
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A55EB1	3_2_00A55EB1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A55EC0	3_2_00A55EC0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5CE24	3_2_00A5CE24
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A58600	3_2_00A58600
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A55A68	3_2_00A55A68
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A58A48	3_2_00A58A48
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A55A58	3_2_00A55A58
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A56BB8	3_2_00A56BB8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A53B80	3_2_00A53B80
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5C7C9	3_2_00A5C7C9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A5BB27	3_2_00A5BB27
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A56308	3_2_00A56308
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A56318	3_2_00A56318
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A56760	3_2_00A56760
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00A56770	3_2_00A56770
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00C4ACC0	3_2_00C4ACC0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00C4DC48	3_2_00C4DC48
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00C4BFEC	3_2_00C4BFEC
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAC1F0	3_2_00DAC1F0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DA6168	3_2_00DA6168
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAB388	3_2_00DAB388
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAC4D0	3_2_00DAC4D0
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DA6790	3_2_00DA6790
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAC7B1	3_2_00DAC7B1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DA98B8	3_2_00DA98B8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DACA91	3_2_00DACA91
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DA4B31	3_2_00DA4B31
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DABC32	3_2_00DABC32
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAF4E8	3_2_00DAF4E8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DA35C8	3_2_00DA35C8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAB552	3_2_00DAB552
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAE9F8	3_2_00DAE9F8
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAF941	3_2_00DAF941
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAEA08	3_2_00DAEA08

Sample file is different than original file name gathered from version info

Source: DEKONT.exe, 00000000.00000002.2103162004.0000000003159000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.2102337678.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.2107848211.0000000005C50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000000.2069708386.0000000000D78000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWCKm.exe@ vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.2103162004.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.2103162004.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.2109404292.00000000074A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe, 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DEKONT.exe
Source: DEKONT.exe, 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs DEKONT.exe
Source: DEKONT.exe, 00000003.00000002.4528172010.00000000008F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DEKONT.exe
Source: DEKONT.exe	Binary or memory string: OriginalFilenameWCKm.exe@ vs DEKONT.exe

Uses 32bit PE files

Source: DEKONT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: DEKONT.exe PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DEKONT.exe PID: 1708, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: DEKONT.exe PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DEKONT.exe PID: 7100, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: DEKONT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.5c90000.12.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.5c90000.12.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, lNKeBIKN3fti5yQLCC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, JKCd0lY9dTMYJoohVk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, JKCd0lY9dTMYJoohVk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, JKCd0lY9dTMYJoohVk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, lNKeBIKN3fti5yQLCC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, JKCd0lY9dTMYJoohVk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, JKCd0lY9dTMYJoohVk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, JKCd0lY9dTMYJoohVk.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/35@15/11

Source: C:\Users\user\Desktop\DEKONT.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEKONT.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"
Source: C:\Users\user\Desktop\DEKONT.exe	Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://545930702158920859543557034480401517872328570392444593641395838190185/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1984,i,5147701504775830983,442634706255467901,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\DEKONT.exe	Process created: C:\Users\user\Desktop\DEKONT.exe "C:\Users\user\Desktop\DEKONT.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1984,i,5147701504775830983,442634706255467901,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Section loaded: dpapi.dll	Jump to behavior

Source: DEKONT.exe, Form2.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, JKCd0lY9dTMYJoohVk.cs	.Net Code: w57iOkrLLb System.Reflection.Assembly.Load(byte[])
Source: 0.2.DEKONT.exe.5c50000.10.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, JKCd0lY9dTMYJoohVk.cs	.Net Code: w57iOkrLLb System.Reflection.Assembly.Load(byte[])
Source: 0.2.DEKONT.exe.3117c0c.3.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_013DF1D0 push esp; iretd	0_2_013DF1D1
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_0564DB53 push esp; iretd	0_2_0564DB59
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 0_2_0748B0B8 push eax; retf	0_2_0748B0B9
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DAB10D pushfd ; iretd	3_2_00DAB112
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DA2511 push 8BFFFFFFh; retf	3_2_00DA2517
Source: C:\Users\user\Desktop\DEKONT.exe	Code function: 3_2_00DA9770 push esp; ret	3_2_00DA9771

Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, qbuvMY9nYgOiahLHGN.cs	High entropy of concatenated method names: 'kX5ILgoH5N', 'veWIC6aagK', 'OsupNVHFY4', 'VOjpkV0B0S', 'WY0pWjbOPL', 'CdApo6aUU8', 'GkmpXhefTR', 'x2Tp3npuG1', 'EhXp2VKFGo', 'YOYpFEpu2U'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, w3n7b6b5gig4cCuCAH.cs	High entropy of concatenated method names: 'XbeEFa9yFJ', 'FL6Eb7DZLU', 'HsQE8eKBtu', 'iiXEaQHBg3', 'GA6EUU0p5e', 'ofIENySLZQ', 'gY0EkeAXdZ', 'cApEWS9rDr', 'c97Eol4V8T', 'rE7EXqu7cl'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, RMFPqapjPx5moASObE.cs	High entropy of concatenated method names: 'MIuqROUGdY', 'wtbqUZ9asd', 'lsWqN1R4mk', 'UoKqk6to0K', 'uh7q8FK8tI', 'Y00qWE7ql2', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, W8W5N7ENh8ACDxU1kK.cs	High entropy of concatenated method names: 's0tpA6L3dP', 'utEpSob2gd', 'cDmpmDTaly', 'i2dpfNkxKc', 'L24pE9CUpl', 'QZGpZI4fmr', 'Utip4HCfoE', 'HgFpqdZDJC', 'PNWp5vApeN', 'HMbp7UvI9K'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, vMp9LsRA7QCZ8oGxWN.cs	High entropy of concatenated method names: 'I98HDj685d', 'nuVHdJ6JOp', 'VuoHIAfCP3', 'JZtHTC2KUU', 'j8XHyoaZ0y', 'cI9IvPPKBC', 'MxuIgvaxus', 'D3cI6STuRd', 'X7KIrJvIJm', 'NMNIcoYe7y'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, vYiLgv6e8R8TROKat6.cs	High entropy of concatenated method names: 'Rg44rudrVt', 'tBi4G6gLyx', 'S8sqeyIrQS', 'KrDqhkZ2AA', 'rAs4KASVDe', 'cP04b82QMw', 'Y3H4t8U27G', 'RGw48uZwMG', 'Nu34aIATQl', 'jN741NcjBI'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, EeidQb3U77hIwCeGlt.cs	High entropy of concatenated method names: 'KUQ49KlI95', 'DK14wTZBCg', 'ToString', 'lOM4MKRoqv', 'dVp4d1nrIA', 'n8k4pyKVke', 'Oa04IULHvR', 'EHA4H2qZfa', 'vnt4TKTa8d', 'QJ54yeC9hr'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, e48bQ74u1cvmidxw22.cs	High entropy of concatenated method names: 'I6fhTZQSFd', 'I4phyluEFs', 'c3Uh9c9Fb2', 'b9ohwcy4oi', 'cUphEea8Ne', 'YwihZJrWZj', 'zLDJ4CJlL88ovaHCE6', 'GAf42qski9M6wyueh0', 'uurhh6goKj', 'F9fhYDcPUm'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, xEj1AS5IVVQise3Q27.cs	High entropy of concatenated method names: 'DwyOX2oXF', 'qDlAvXdpD', 'f0jSrKBYq', 'UP4CTg1wm', 'qW0fPk0Fe', 'zAvu0SN5y', 'IchoNB00JJYkwT4RiX', 'v932m4jwcLTx6pp9Yd', 'HkEqHK1ko', 'OoQ7NKo5T'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, my4K8mm3A1hmgXQ4Oq.cs	High entropy of concatenated method names: 'rbyTn3XmDL', 'yKpTP0rkTB', 'TjqTOlqemo', 'zbmTAtEPNM', 'D8TTLlTrL5', 'ajwTS10kIP', 'clGTCErc4M', 'AhDTmRCQ8R', 'n1GTfFXbge', 'nbhTudTLVt'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, Bg8RblqlIMvTjS1vCQj.cs	High entropy of concatenated method names: 'ae45nvyE8t', 'vp65PP7FtF', 'XdK5OhkSZs', 'I6B5A7caG0', 'pBG5LR310j', 'hw05SQnJ8L', 'MuP5C6YAd9', 'axM5mgHrMx', 'D3Q5fEOBkY', 'GKK5ufGkWZ'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, JKCd0lY9dTMYJoohVk.cs	High entropy of concatenated method names: 'MKKYDHEUyR', 'jqjYMsuVZS', 'XLvYdq4sFi', 'W7sYp2vQGn', 'rX4YIhYmXs', 'WWeYHk3mix', 'fVWYTAVqy8', 'sKQYyCEyjY', 'g6xYJ1uZVw', 'denY9ay8Eo'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, UiDmLUXfmyWZZuBa9Z.cs	High entropy of concatenated method names: 'BwV5hRodk5', 'uQ95YBjlnk', 'BVP5iavV04', 'VhW5MyxtXC', 'uCg5dHCcHn', 'bbx5Ik2AsG', 'u5S5HgNjOe', 'bMTq6W5vW9', 'QFvqrWP073', 'vMLqc2yoLt'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, lNKeBIKN3fti5yQLCC.cs	High entropy of concatenated method names: 'aOLd8La7dJ', 'WyXdakQp6U', 'rEFd1PTPi3', 'b2GdB0V2Ww', 'luFdv6IcdX', 'OOcdgxm7yI', 'xkQd6uUlb3', 'hBKdruOFBk', 'vlMdcmFfkr', 'wqwdGpWNhp'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, kLyua9qAP1ejx84DB0m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fH178GOdZe', 'ihR7a7COyx', 'PPK71PccSG', 'tjC7BOKVCj', 'BPx7vOE9KR', 'HGH7gXu4Fk', 'IAN76pjWOE'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, McwMUU1auLDl3bufoF.cs	High entropy of concatenated method names: 'L3RqMh1c5K', 'hDFqdIKqjj', 'ewcqpJVhng', 'imxqIkphfa', 'EewqHt2wqC', 'K0CqTZFx2e', 'gWSqypWmLO', 'n8LqJkyRwe', 'sCNq9atuu9', 'em3qwkGJ90'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, VpmQKLk5tAQvLX5JE3.cs	High entropy of concatenated method names: 'Dispose', 'FuJhccEpBX', 'W0ksU95j2I', 'ksKjjfxVdp', 'KTrhG3PS8h', 'ruPhzEXklS', 'ProcessDialogKey', 'NUMse56tPX', 'UpCshMcLVX', 'uJXssrg4hG'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, xlmpsTrQBbWHH5IhLW.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'K92sc7G05n', 'oKtsGgFeJ0', 'QoHsz0jwOu', 'iycYeNyFTV', 'T8oYhfsBRW', 'qUVYsVVI97', 'genYYr1g9D', 'nw8tJsD7sXZbLK65FOy'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, vIQjNbiKj6KV7deLBl.cs	High entropy of concatenated method names: 'IxlTMVYEQG', 'sNITpErgSu', 'VybTH6rMGO', 'duUHGZA3Wv', 'yuPHzXivrx', 'HQOTeUmISS', 'u7sThIsK0x', 'HuUTskixIu', 'gqITYRXE8E', 'nDlTier0TC'
Source: 0.2.DEKONT.exe.4407110.9.raw.unpack, m4c5odd4pG9rZoGDrs.cs	High entropy of concatenated method names: 'rciVm1r07O', 'BpdVfZs3no', 'LSlVRyru1B', 'BM4VUqvCYh', 'nXvVkuejZY', 'qwhVWiUIju', 'hYDVX1Y4kx', 'Id7V3tNg1V', 'J1lVF7iVrj', 'sqyVKcJBUk'
Source: 0.2.DEKONT.exe.5c90000.12.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, qbuvMY9nYgOiahLHGN.cs	High entropy of concatenated method names: 'kX5ILgoH5N', 'veWIC6aagK', 'OsupNVHFY4', 'VOjpkV0B0S', 'WY0pWjbOPL', 'CdApo6aUU8', 'GkmpXhefTR', 'x2Tp3npuG1', 'EhXp2VKFGo', 'YOYpFEpu2U'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, w3n7b6b5gig4cCuCAH.cs	High entropy of concatenated method names: 'XbeEFa9yFJ', 'FL6Eb7DZLU', 'HsQE8eKBtu', 'iiXEaQHBg3', 'GA6EUU0p5e', 'ofIENySLZQ', 'gY0EkeAXdZ', 'cApEWS9rDr', 'c97Eol4V8T', 'rE7EXqu7cl'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, RMFPqapjPx5moASObE.cs	High entropy of concatenated method names: 'MIuqROUGdY', 'wtbqUZ9asd', 'lsWqN1R4mk', 'UoKqk6to0K', 'uh7q8FK8tI', 'Y00qWE7ql2', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, W8W5N7ENh8ACDxU1kK.cs	High entropy of concatenated method names: 's0tpA6L3dP', 'utEpSob2gd', 'cDmpmDTaly', 'i2dpfNkxKc', 'L24pE9CUpl', 'QZGpZI4fmr', 'Utip4HCfoE', 'HgFpqdZDJC', 'PNWp5vApeN', 'HMbp7UvI9K'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, vMp9LsRA7QCZ8oGxWN.cs	High entropy of concatenated method names: 'I98HDj685d', 'nuVHdJ6JOp', 'VuoHIAfCP3', 'JZtHTC2KUU', 'j8XHyoaZ0y', 'cI9IvPPKBC', 'MxuIgvaxus', 'D3cI6STuRd', 'X7KIrJvIJm', 'NMNIcoYe7y'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, vYiLgv6e8R8TROKat6.cs	High entropy of concatenated method names: 'Rg44rudrVt', 'tBi4G6gLyx', 'S8sqeyIrQS', 'KrDqhkZ2AA', 'rAs4KASVDe', 'cP04b82QMw', 'Y3H4t8U27G', 'RGw48uZwMG', 'Nu34aIATQl', 'jN741NcjBI'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, EeidQb3U77hIwCeGlt.cs	High entropy of concatenated method names: 'KUQ49KlI95', 'DK14wTZBCg', 'ToString', 'lOM4MKRoqv', 'dVp4d1nrIA', 'n8k4pyKVke', 'Oa04IULHvR', 'EHA4H2qZfa', 'vnt4TKTa8d', 'QJ54yeC9hr'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, e48bQ74u1cvmidxw22.cs	High entropy of concatenated method names: 'I6fhTZQSFd', 'I4phyluEFs', 'c3Uh9c9Fb2', 'b9ohwcy4oi', 'cUphEea8Ne', 'YwihZJrWZj', 'zLDJ4CJlL88ovaHCE6', 'GAf42qski9M6wyueh0', 'uurhh6goKj', 'F9fhYDcPUm'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, xEj1AS5IVVQise3Q27.cs	High entropy of concatenated method names: 'DwyOX2oXF', 'qDlAvXdpD', 'f0jSrKBYq', 'UP4CTg1wm', 'qW0fPk0Fe', 'zAvu0SN5y', 'IchoNB00JJYkwT4RiX', 'v932m4jwcLTx6pp9Yd', 'HkEqHK1ko', 'OoQ7NKo5T'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, my4K8mm3A1hmgXQ4Oq.cs	High entropy of concatenated method names: 'rbyTn3XmDL', 'yKpTP0rkTB', 'TjqTOlqemo', 'zbmTAtEPNM', 'D8TTLlTrL5', 'ajwTS10kIP', 'clGTCErc4M', 'AhDTmRCQ8R', 'n1GTfFXbge', 'nbhTudTLVt'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, Bg8RblqlIMvTjS1vCQj.cs	High entropy of concatenated method names: 'ae45nvyE8t', 'vp65PP7FtF', 'XdK5OhkSZs', 'I6B5A7caG0', 'pBG5LR310j', 'hw05SQnJ8L', 'MuP5C6YAd9', 'axM5mgHrMx', 'D3Q5fEOBkY', 'GKK5ufGkWZ'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, JKCd0lY9dTMYJoohVk.cs	High entropy of concatenated method names: 'MKKYDHEUyR', 'jqjYMsuVZS', 'XLvYdq4sFi', 'W7sYp2vQGn', 'rX4YIhYmXs', 'WWeYHk3mix', 'fVWYTAVqy8', 'sKQYyCEyjY', 'g6xYJ1uZVw', 'denY9ay8Eo'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, UiDmLUXfmyWZZuBa9Z.cs	High entropy of concatenated method names: 'BwV5hRodk5', 'uQ95YBjlnk', 'BVP5iavV04', 'VhW5MyxtXC', 'uCg5dHCcHn', 'bbx5Ik2AsG', 'u5S5HgNjOe', 'bMTq6W5vW9', 'QFvqrWP073', 'vMLqc2yoLt'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, lNKeBIKN3fti5yQLCC.cs	High entropy of concatenated method names: 'aOLd8La7dJ', 'WyXdakQp6U', 'rEFd1PTPi3', 'b2GdB0V2Ww', 'luFdv6IcdX', 'OOcdgxm7yI', 'xkQd6uUlb3', 'hBKdruOFBk', 'vlMdcmFfkr', 'wqwdGpWNhp'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, kLyua9qAP1ejx84DB0m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fH178GOdZe', 'ihR7a7COyx', 'PPK71PccSG', 'tjC7BOKVCj', 'BPx7vOE9KR', 'HGH7gXu4Fk', 'IAN76pjWOE'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, McwMUU1auLDl3bufoF.cs	High entropy of concatenated method names: 'L3RqMh1c5K', 'hDFqdIKqjj', 'ewcqpJVhng', 'imxqIkphfa', 'EewqHt2wqC', 'K0CqTZFx2e', 'gWSqypWmLO', 'n8LqJkyRwe', 'sCNq9atuu9', 'em3qwkGJ90'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, VpmQKLk5tAQvLX5JE3.cs	High entropy of concatenated method names: 'Dispose', 'FuJhccEpBX', 'W0ksU95j2I', 'ksKjjfxVdp', 'KTrhG3PS8h', 'ruPhzEXklS', 'ProcessDialogKey', 'NUMse56tPX', 'UpCshMcLVX', 'uJXssrg4hG'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, xlmpsTrQBbWHH5IhLW.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'K92sc7G05n', 'oKtsGgFeJ0', 'QoHsz0jwOu', 'iycYeNyFTV', 'T8oYhfsBRW', 'qUVYsVVI97', 'genYYr1g9D', 'nw8tJsD7sXZbLK65FOy'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, vIQjNbiKj6KV7deLBl.cs	High entropy of concatenated method names: 'IxlTMVYEQG', 'sNITpErgSu', 'VybTH6rMGO', 'duUHGZA3Wv', 'yuPHzXivrx', 'HQOTeUmISS', 'u7sThIsK0x', 'HuUTskixIu', 'gqITYRXE8E', 'nDlTier0TC'
Source: 0.2.DEKONT.exe.74a0000.13.raw.unpack, m4c5odd4pG9rZoGDrs.cs	High entropy of concatenated method names: 'rciVm1r07O', 'BpdVfZs3no', 'LSlVRyru1B', 'BM4VUqvCYh', 'nXvVkuejZY', 'qwhVWiUIju', 'hYDVX1Y4kx', 'Id7V3tNg1V', 'J1lVF7iVrj', 'sqyVKcJBUk'

Source: C:\Users\user\Desktop\DEKONT.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 13D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 7E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 8E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 8FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 9FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Memory allocated: 4810000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599763	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599651	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599543	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599310	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599189	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 599064	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596759	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596528	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595935	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595784	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595533	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595233	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 595001	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 594861	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 592094	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591978	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591874	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591765	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591644	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591475	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591353	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591247	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591137	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 591028	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590918	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590809	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590688	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590577	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590453	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590343	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590232	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590124	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 590014	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 589905	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 589791	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 589687	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 589573	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Thread delayed: delay time: 589454	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Window / User API: threadDelayed 3078			Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Window / User API: threadDelayed 6735			Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -38738162554790034s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7408	Thread sleep count: 3078 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7408	Thread sleep count: 6735 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599189s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -599064s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -596759s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -596528s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -596407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -596282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -595935s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -595784s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -595657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -595533s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -595233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -595001s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -594861s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -592094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591978s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591644s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591475s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591353s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -591028s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590918s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590809s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -590014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -589905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -589791s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -589687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -589573s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe TID: 7392	Thread sleep time: -589454s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Users\user\Desktop\DEKONT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Users\user\Desktop\DEKONT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 0.2.DEKONT.exe.5c90000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.5c90000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.31ed8d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.31cbc90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.31ec8bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2108181185.0000000005C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2103162004.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.DEKONT.exe.42ce5e0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.42ef000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.DEKONT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.42ef000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DEKONT.exe.42ce5e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4533476899.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4528022712.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104390909.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4533476899.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DEKONT.exe PID: 7100, type: MEMORYSTR

Source: C:\Users\user\Desktop\DEKONT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Users\user\Desktop\DEKONT.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\DEKONT.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
142.250.190.142	unknown	United States	15169	GOOGLEUS	false
142.250.190.46	play.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.169.18	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false
142.250.191.110	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.191.142	plus.l.google.com	United States	15169	GOOGLEUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
142.250.191.196	www.google.com	United States	15169	GOOGLEUS	false

Name	IP	Active
plus.l.google.com	142.250.191.142	true
www3.l.google.com	142.250.191.110	true
play.google.com	142.250.190.46	true
reallyfreegeoip.org	172.67.177.134	true
www.google.com	142.250.191.196	true
scratchdreams.tk	172.67.169.18	true
checkip.dyndns.com	132.226.8.169	true
checkip.dyndns.org	unknown	unknown
ogs.google.com	unknown	unknown
apis.google.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/89.187.182.8	false	Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_promos	false		high
https://play.google.com/log?format=json&hasfast=true&authuser=0	false		high
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en	false		high
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0	false		high
https://scratchdreams.tk/_send_.php?TS	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high

ID:	1434016
Product:	CloudBasic
Start time:	12:50:30
Start date:	30.04.2024
Sample:	DEKONT.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c766a45151c2a9b0879095062dc566fe
SHA1:	c9587ac978a75933670dd94c3766e635afeed2e8
SHA256:	d46066c4c4bd510c11a5d4ee6e23ff0e2fdb7d5d716aceb9671caa3e679800b1
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report DEKONT.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
DEKONT.exe

Malware Threat Intel
Provided by

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEKONT.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
Chrome Cache Entry: 63	ASCII text, with very long lines (1746)	0282D5C4C6038FCEB2FF8607EDAC81A4	62EBF05C33F8A3115C208BB4D5CE9B38F6D06447	AAAF17E8ED9C8DD5D1B69C8BBB617600A768256654C076F760E09C6047973371
Chrome Cache Entry: 64	ASCII text, with very long lines (769)	213A219F4D2C9272C9960409FC210C50	0365479D56A9DBC3F4BA134F7B3402FB98A212C7	AABDECF8E56A9C5DC95DBB5C85F4E72EF73AA87AB610CE3B3052FA3945323479
Chrome Cache Entry: 65	ASCII text, with very long lines (770)	D5328D5D22FB5A0BB9E64E49F88B166F	2A816E814F548BBEC9BCD7023D57A22A1D97B6A5	1260B093F27D3E5D89FEC270A6E3F57CF029C1FAAC18B5D7203AD51051C2AB4D
Chrome Cache Entry: 66	PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced	387ED93F42803B1EC6697E3B57FBCEF0	2EA8A5BFBF99144BD0EBAEBE60AC35406A8B613E	982AAC952E2C938BD55550D0409ECE5F4430D38F370161D8318678FA25316587
Chrome Cache Entry: 67	ASCII text	6FED308183D5DFC421602548615204AF	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
Chrome Cache Entry: 68	ASCII text, with very long lines (2200)	ECE5A05F800D0B5A4D49E592F97D6221	36D04CCC18AF2086B8AF97960598EACB47C64555	91462491133671ACCA6E3544D55A3B0AA37EA37EFBB4B99A5BE0BC0659803EA7
Chrome Cache Entry: 69	ASCII text, with very long lines (736)	91FCA5681E4B2B65D9EC02DB312FDECE	78A6603F175119DDC4FECE015326F336D70F0139	CB0D00367507EAD438F60A2DF6C68C8C03E06C9787D346883E0DBC1B57648465
Chrome Cache Entry: 70	ASCII text, with very long lines (1658)	93851C21FBAD0812277315A6CA39D9A1	830D5F42F1E43FC85E07224272F35DF4DEAC55A5	2BBA1E47C72CC7EE6E3D5434C1D527AF8F093931D7097129DB2FF71B0CFD638C
Chrome Cache Entry: 71	ASCII text, with very long lines (65531)	820B0EEE09948938286057F1F615AC83	7751130C42FA76F65280C112B34575386453D8F7	668D916252BB4DD53D3736A1D9C43E626A4B6CC4C010E7DA93AB0B45D16B05DA
Chrome Cache Entry: 72	PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced	387ED93F42803B1EC6697E3B57FBCEF0	2EA8A5BFBF99144BD0EBAEBE60AC35406A8B613E	982AAC952E2C938BD55550D0409ECE5F4430D38F370161D8318678FA25316587
Chrome Cache Entry: 73	Web Open Font Format (Version 2), TrueType, length 15344, version 1.0	5D4AEB4E5F5EF754E307D7FFAEF688BD	06DB651CDF354C64A7383EA9C77024EF4FB4CEF8	3E253B66056519AA065B00A453BAC37AC5ED8F3E6FE7B542E93A9DCDCC11D0BC
Chrome Cache Entry: 74	ASCII text, with very long lines (3572), with no line terminators	88BC8C86A83B9BD8EDA6FDF225CDC8DD	473D84930F027A365278C15282725A69721F4B18	47D960E93D9E7AB4C760A09DA0AA5E6549A8355AD5C0BA8476D4269F4FBDB354
Chrome Cache Entry: 75	SVG Scalable Vector Graphics image	554640F465EB3ED903B543DAE0A1BCAC	E0E6E2C8939008217EB76A3B3282CA75F3DC401A	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
Chrome Cache Entry: 76	ASCII text, with very long lines (2124)	F46ACD807A10216E6EEE8EA51E0F14D6	4702F47070F7046689432DCF605F11364BC0FBED	D6B84873D27E7E83CF5184AAEF778F1CCB896467576CD8AF2CAD09B31B3C6086
Chrome Cache Entry: 77	HTML document, Unicode text, UTF-8 text, with very long lines (1136)	FBE36EB2EECF1B90451A3A72701E49D2	AE56EA57C52D1153CEC33CEF91CF935D2D3AF14D	E8F2DED5D74C0EE5F427A20B6715E65BC79ED5C4FC67FB00D89005515C8EFE63
Chrome Cache Entry: 78	ASCII text, with very long lines (2956)	BA095D761063DF6A9CED92ED2318C1F6	BBEE942F428AD8D26B2B84653700A0D1AB2008B5	3758F898639B1005289E3BA365A9FED0EE3051E53D7B29AEB2E3435B1EACD6E1
Chrome Cache Entry: 79	HTML document, ASCII text, with very long lines (20704)	7CB0126CB5D8F3009CA102D09A88A73F	6CAFBD0A4DD018853919766606CBF6D2A1751394	C43A40E0E24A68DC49A18F1579E7BC34BFAFB24AAD0404FF969847AF501824C3
Chrome Cache Entry: 80	ASCII text	9FAE2B6737B98261777262B14B586F28	79C894898B2CED39335EB0003C18B27AA8C6DDCD	F55F6B26E77DF6647E544AE5B45892DCEA380B7A6D2BFAA1E023EA112CE81E73