Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

e-dekont.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.306258701957308
Filename:	e-dekont.exe
Filesize:	854528
MD5:	ff53d6a04ea8618890f7a81e31bd8a22
SHA1:	d804959bcb8a2ea43278a1f78aac8abede4fa62f
SHA256:	5f8e6d5fd79a5a648e42597881ddf5e418be34a81b678b9742fad39d6b74c298
SHA512:	fb1830954a5568b13448fc3326a66b7730081cc432aeca6de3cefde5b3ee7f44a9fe95c8d8ec53bbd293be3f931f0dcc890bf3c612593d07d897c6939cddce45
SSDEEP:	12288:WUF9WM9gnUHf/6JCh+bLNftlDcaxlCcjbAf:WU2M9gUHf/6tLTlYklCQbA
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..z..........^.... ........@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e-dekont.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e-dekont.exe.log
Category:	dropped
Dump:	e-dekont.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\e-dekont.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.352427679901606
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
Size:	1415
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\e-dekont.exe

"C:\Users\user\Desktop\e-dekont.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7268
Target ID:	0
Parent PID:	2580
Name:	e-dekont.exe
Path:	C:\Users\user\Desktop\e-dekont.exe
Commandline:	"C:\Users\user\Desktop\e-dekont.exe"
Size:	854528
MD5:	FF53D6A04EA8618890F7A81E31BD8A22
Time:	07:09:03
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x700000
Modulesize:	876544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\e-dekont.exe

"C:\Users\user\Desktop\e-dekont.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7424
Target ID:	2
Parent PID:	7268
Name:	e-dekont.exe
Path:	C:\Users\user\Desktop\e-dekont.exe
Commandline:	"C:\Users\user\Desktop\e-dekont.exe"
Size:	854528
MD5:	FF53D6A04EA8618890F7A81E31BD8A22
Time:	07:09:05
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb70000
Modulesize:	876544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.fontbureau.com/designers?

unknown

https://reallyfreegeoip.org/xml/154.16.105.36$

unknown

http://tempuri.org/DataSet1.xsd

unknown

http://www.tiro.com

unknown

http://checkip.dyndns.org

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://checkip.dyndns.org/

158.101.44.242

http://checkip.dyndns.org/q

unknown

http://www.jiyu-kobo.co.jp/

unknown

https://scratchdreams.tk

unknown

http://reallyfreegeoip.org

unknown

http://www.galapagosdesign.com/DPlease

unknown

https://reallyfreegeoip.org

unknown

http://www.fontbureau.com/designers8

unknown

https://reallyfreegeoip.org/xml/154.16.105.36

104.21.67.152

https://scratchdreams.tk/_send_.php?TS

104.21.27.85

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://checkip.dyndns.com

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

http://scratchdreams.tk

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 29 hidden URLs, click here to show them.

Domains

Name

Malicious

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

104.21.67.152

Details

Name:	reallyfreegeoip.org
IP:	104.21.67.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

scratchdreams.tk

104.21.27.85

Details

Name:	scratchdreams.tk
IP:	104.21.27.85
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

158.101.44.242

IPs

Domain

Country

Malicious

104.21.67.152

reallyfreegeoip.org

United States

Details

IP:	104.21.67.152
TargetID:	2
Current Path:	C:\Users\user\Desktop\e-dekont.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

158.101.44.242

checkip.dyndns.com

United States

104.21.27.85

scratchdreams.tk

United States

Details

IP:	104.21.27.85
TargetID:	2
Current Path:	C:\Users\user\Desktop\e-dekont.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	scratchdreams.tk

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\e-dekont_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

44BE000

trusted library allocation

page read and write

3160000

trusted library allocation

page read and write

2FA1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

7020000

heap

page read and write

2970000

heap

page read and write

50B3000

heap

page read and write

30DF000

trusted library allocation

page read and write

E02000

trusted library allocation

page read and write

5460000

trusted library allocation

page execute and read and write

2E2E000

trusted library allocation

page read and write

D3E000

stack

page read and write

7EFE0000

trusted library allocation

page execute and read and write

30F7000

trusted library allocation

page read and write

E20000

trusted library allocation

page read and write

3124000

trusted library allocation

page read and write

30A7000

trusted library allocation

page read and write

68FE000

stack

page read and write

14D0000

heap

page read and write

2C63000

trusted library allocation

page read and write

5082000

trusted library allocation

page read and write

E0B000

trusted library allocation

page execute and read and write

5440000

heap

page read and write

DF2000

trusted library allocation

page read and write

1370000

heap

page read and write

6C1B000

trusted library allocation

page read and write

71D0000

heap

page read and write

7400000

trusted library section

page read and write

4B65000

trusted library allocation

page read and write

DED000

trusted library allocation

page execute and read and write

3116000

trusted library allocation

page read and write

3216000

trusted library allocation

page read and write

5480000

heap

page read and write

5450000

heap

page read and write

4033000

trusted library allocation

page read and write

3207000

trusted library allocation

page read and write

2E36000

trusted library allocation

page read and write

5470000

heap

page read and write

E66000

heap

page read and write

513E000

stack

page read and write

4FC0000

trusted library allocation

page read and write

5070000

heap

page execute and read and write

2950000

trusted library allocation

page execute and read and write

F12000

heap

page read and write

1433000

trusted library allocation

page execute and read and write

403C000

trusted library allocation

page read and write

7180000

heap

page read and write

323E000

trusted library allocation

page read and write

2E1E000

trusted library allocation

page read and write

744E000

stack

page read and write

3066000

trusted library allocation

page read and write

BD0000

heap

page read and write

DFCE000

stack

page read and write

DD0000

trusted library allocation

page read and write

E40E000

stack

page read and write

5590000

heap

page read and write

119A000

heap

page read and write

1263000

heap

page read and write

5090000

trusted library allocation

page read and write

DE0000

trusted library allocation

page read and write

2AAD000

trusted library allocation

page read and write

CDA000

stack

page read and write

73F0000

trusted library allocation

page execute and read and write

2DC0000

trusted library allocation

page execute and read and write

6C42000

trusted library allocation

page read and write

1170000

heap

page read and write

71A1000

heap

page read and write

4385000

trusted library allocation

page read and write

146B000

trusted library allocation

page execute and read and write

3250000

trusted library allocation

page read and write

73AE000

stack

page read and write

7170000

heap

page read and write

1440000

trusted library allocation

page read and write

31F8000

trusted library allocation

page read and write

73B0000

trusted library section

page read and write

6C00000

trusted library allocation

page execute and read and write

3FC9000

trusted library allocation

page read and write

5B37000

trusted library allocation

page read and write

2DE0000

trusted library allocation

page read and write

30AB000

trusted library allocation

page read and write

4C7C000

stack

page read and write

321A000

trusted library allocation

page read and write

6C60000

trusted library allocation

page read and write

4FD0000

trusted library allocation

page read and write

677F000

stack

page read and write

DF0000

trusted library allocation

page read and write

5B3C000

trusted library allocation

page read and write

145A000

trusted library allocation

page execute and read and write

2DF0000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

E18E000

stack

page read and write

E3CF000

stack

page read and write

78E000

unkown

page readonly

6780000

heap

page read and write

E73000

heap

page read and write

5710000

trusted library allocation

page read and write

AB97000

trusted library allocation

page read and write

567E000

stack

page read and write

13B0000

heap

page read and write

700000

unkown

page readonly

5B40000

trusted library allocation

page execute and read and write

112E000

stack

page read and write

2DD0000

trusted library allocation

page read and write

12AF000

stack

page read and write

30EB000

trusted library allocation

page read and write

2AE1000

trusted library allocation

page read and write

72AE000

stack

page read and write

DDD000

trusted library allocation

page execute and read and write

294B000

stack

page read and write

7550000

trusted library allocation

page read and write

1452000

trusted library allocation

page read and write

12EE000

stack

page read and write

7560000

trusted library allocation

page read and write

2DE4000

trusted library allocation

page read and write

1465000

trusted library allocation

page execute and read and write

5010000

trusted library allocation

page read and write

4030000

trusted library allocation

page read and write

4B50000

trusted library allocation

page read and write

309F000

trusted library allocation

page read and write

3095000

trusted library allocation

page read and write

3049000

trusted library allocation

page read and write

5593000

heap

page read and write

54D0000

heap

page read and write

31FE000

trusted library allocation

page read and write

290E000

stack

page read and write

30FB000

trusted library allocation

page read and write

143D000

trusted library allocation

page execute and read and write

CF5000

heap

page read and write

702000

unkown

page readonly

118E000

heap

page read and write

4026000

trusted library allocation

page read and write

2E16000

trusted library allocation

page read and write

2F88000

trusted library allocation

page read and write

CF0000

heap

page read and write

6AFE000

stack

page read and write

324A000

trusted library allocation

page read and write

3AE1000

trusted library allocation

page read and write

5475000

heap

page read and write

2AA1000

trusted library allocation

page read and write

3150000

trusted library allocation

page read and write

CB0000

heap

page read and write

67C4000

heap

page read and write

6C70000

trusted library allocation

page read and write

DC0000

trusted library allocation

page read and write

3068000

trusted library allocation

page read and write

2A80000

trusted library allocation

page read and write

3056000

trusted library allocation

page read and write

693E000

stack

page read and write

2AA6000

trusted library allocation

page read and write

5080000

trusted library allocation

page read and write

6C50000

trusted library allocation

page read and write

1400000

heap

page read and write

51AB000

stack

page read and write

3131000

trusted library allocation

page read and write

1239000

heap

page read and write

3AE8000

trusted library allocation

page read and write

DD3000

trusted library allocation

page execute and read and write

5B30000

trusted library allocation

page read and write

2C5A000

trusted library allocation

page read and write

2E3D000

trusted library allocation

page read and write

314D000

trusted library allocation

page read and write

304E000

trusted library allocation

page read and write

1015000

heap

page read and write

6797000

heap

page read and write

5480000

heap

page read and write

73E0000

trusted library section

page read and write

D90000

heap

page read and write

4B6E000

trusted library allocation

page read and write

50B0000

heap

page read and write

7230000

heap

page read and write

DD4000

trusted library allocation

page read and write

CD7000

heap

page read and write

6C30000

trusted library allocation

page execute and read and write

2960000

trusted library allocation

page read and write

6A3E000

stack

page read and write

1456000

trusted library allocation

page execute and read and write

116E000

stack

page read and write

1462000

trusted library allocation

page read and write

53B0000

trusted library section

page readonly

2A8B000

trusted library allocation

page read and write

6C6B000

trusted library allocation

page read and write

E3A000

heap

page read and write

6C20000

trusted library allocation

page execute and read and write

2A7E000

stack

page read and write

2F9E000

trusted library allocation

page read and write

5060000

trusted library allocation

page execute and read and write

2DBD000

stack

page read and write

2A9E000

trusted library allocation

page read and write

E70000

heap

page read and write

11FD000

heap

page read and write

2E90000

heap

page read and write

67DB000

heap

page read and write

DE3000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

2F47000

trusted library allocation

page read and write

DA0000

heap

page read and write

2F9F000

stack

page read and write

31F3000

trusted library allocation

page read and write

68BD000

stack

page read and write

2E10000

trusted library allocation

page read and write

1420000

trusted library allocation

page read and write

54BE000

heap

page read and write

3051000

trusted library allocation

page read and write

7150000

trusted library allocation

page read and write

4AE0000

trusted library section

page read and write

6BFF000

stack

page read and write

754E000

stack

page read and write

2AD0000

heap

page execute and read and write

2C65000

trusted library allocation

page read and write

318A000

trusted library allocation

page read and write

DFA000

trusted library allocation

page execute and read and write

DF8E000

stack

page read and write

2FA0000

trusted library allocation

page read and write

6CA0000

heap

page read and write

6C40000

trusted library allocation

page read and write

E2CE000

stack

page read and write

CD0000

heap

page read and write

2E00000

heap

page execute and read and write

11AB000

heap

page read and write

1450000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

30F3000

trusted library allocation

page read and write

30E7000

trusted library allocation

page read and write

30A3000

trusted library allocation

page read and write

A69000

stack

page read and write

3081000

trusted library allocation

page read and write

5490000

heap

page read and write

2E2A000

trusted library allocation

page read and write

144D000

trusted library allocation

page execute and read and write

E28E000

stack

page read and write

1010000

heap

page read and write

E50F000

stack

page read and write

4337000

trusted library allocation

page read and write

43D3000

trusted library allocation

page read and write

E07000

trusted library allocation

page execute and read and write

7610000

trusted library allocation

page execute and read and write

14CE000

stack

page read and write

51B0000

heap

page read and write

30E3000

trusted library allocation

page read and write

6C10000

trusted library allocation

page read and write

2E1B000

trusted library allocation

page read and write

1430000

trusted library allocation

page read and write

3245000

trusted library allocation

page read and write

5050000

heap

page read and write

DD7000

stack

page read and write

1480000

trusted library allocation

page read and write

4FE0000

trusted library allocation

page read and write

7140000

trusted library allocation

page read and write

1178000

heap

page read and write

30DB000

trusted library allocation

page read and write

1434000

trusted library allocation

page read and write

DF6000

trusted library allocation

page execute and read and write

2E31000

trusted library allocation

page read and write

6C20000

trusted library allocation

page read and write

596E000

stack

page read and write

53AD000

stack

page read and write

5720000

heap

page execute and read and write

6D10000

trusted library allocation

page execute and read and write

3FA1000

trusted library allocation

page read and write

30EF000

trusted library allocation

page read and write

15DE000

stack

page read and write

1467000

trusted library allocation

page execute and read and write

E30000

heap

page read and write

B67000

stack

page read and write

667E000

stack

page read and write

2E60000

trusted library allocation

page read and write

EBC000

heap

page read and write

5B39000

trusted library allocation

page read and write

4FD5000

trusted library allocation

page read and write

4B60000

trusted library allocation

page read and write

1050000

heap

page read and write

3211000

trusted library allocation

page read and write

400B000

trusted library allocation

page read and write

6C5E000

trusted library allocation

page read and write

102E000

stack

page read and write

D7E000

stack

page read and write

E3E000

heap

page read and write

There are 267 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
e-dekont.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporte-dekont.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
e-dekont.exe