Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DEKONT.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.363765319780092
Filename:	DEKONT.exe
Filesize:	971776
MD5:	384c4da2b75f4c7a1fa5585bc07634e6
SHA1:	27d368536af080b92d543f9c24af8596cc0edd6d
SHA256:	8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34
SHA512:	6b7919c2cb1a0900dad45b9d0a44aa7b7ff20a24cad142704978f3737f16ee5df0c3b9d2b1c5de05a0e565a9dfe591a82e7706eeda98c818d7a2840050f160b1
SSDEEP:	12288:mF2iNryhiHr2JXAfykubkHwObkzi4pYv0lv312Z3:mF1lyhiHrAXAaXbkHwZ1qMJ312Z
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..D...........b... ........@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEKONT.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEKONT.exe.log
Category:	dropped
Dump:	DEKONT.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\DEKONT.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DEKONT.exe

"C:\Users\user\Desktop\DEKONT.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7384
Target ID:	0
Parent PID:	4084
Name:	DEKONT.exe
Path:	C:\Users\user\Desktop\DEKONT.exe
Commandline:	"C:\Users\user\Desktop\DEKONT.exe"
Size:	971776
MD5:	384C4DA2B75F4C7A1FA5585BC07634E6
Time:	10:12:00
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfe0000
Modulesize:	999424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\DEKONT.exe

"C:\Users\user\Desktop\DEKONT.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7564
Target ID:	3
Parent PID:	7384
Name:	DEKONT.exe
Path:	C:\Users\user\Desktop\DEKONT.exe
Commandline:	"C:\Users\user\Desktop\DEKONT.exe"
Size:	971776
MD5:	384C4DA2B75F4C7A1FA5585BC07634E6
Time:	10:12:02
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc30000
Modulesize:	999424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://checkip.dyndns.org/

193.122.6.168

https://reallyfreegeoip.org/xml/154.16.105.36$

unknown

http://checkip.dyndns.org/q

unknown

http://tempuri.org/DataSet1.xsd

unknown

https://scratchdreams.tk

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/154.16.105.36(

unknown

https://reallyfreegeoip.org/xml/154.16.105.36

104.21.67.152

https://scratchdreams.tk/_send_.php?TS

104.21.27.85

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://scratchdreams.tk

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

104.21.67.152

Details

Name:	reallyfreegeoip.org
IP:	104.21.67.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

scratchdreams.tk

104.21.27.85

Details

Name:	scratchdreams.tk
IP:	104.21.27.85
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

104.21.67.152

reallyfreegeoip.org

United States

Details

IP:	104.21.67.152
TargetID:	3
Current Path:	C:\Users\user\Desktop\DEKONT.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

104.21.27.85

scratchdreams.tk

United States

Details

IP:	104.21.27.85
TargetID:	3
Current Path:	C:\Users\user\Desktop\DEKONT.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	scratchdreams.tk

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DEKONT_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4DF7000

trusted library allocation

page read and write

2FD1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

4409000

trusted library allocation

page read and write

5B20000

trusted library section

page read and write

17C7000

trusted library allocation

page execute and read and write

1505000

trusted library allocation

page execute and read and write

3228000

trusted library allocation

page read and write

14FA000

trusted library allocation

page execute and read and write

30DC000

trusted library allocation

page read and write

5573000

heap

page read and write

5B10000

trusted library allocation

page read and write

2F7E000

trusted library allocation

page read and write

4CBE000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

56C0000

heap

page read and write

32B0000

heap

page read and write

3295000

trusted library allocation

page read and write

164F000

heap

page read and write

3099000

trusted library allocation

page read and write

5AFE000

stack

page read and write

329E000

trusted library allocation

page read and write

30B1000

trusted library allocation

page read and write

1793000

trusted library allocation

page execute and read and write

2FC0000

heap

page execute and read and write

68CA000

heap

page read and write

6B1E000

stack

page read and write

5880000

trusted library allocation

page read and write

14F0000

trusted library allocation

page read and write

7560000

heap

page read and write

5DA4000

heap

page read and write

7240000

heap

page read and write

2EDF000

stack

page read and write

2F82000

trusted library allocation

page read and write

50CE000

stack

page read and write

141E000

stack

page read and write

588E000

trusted library allocation

page read and write

5970000

trusted library allocation

page execute and read and write

5B00000

trusted library allocation

page read and write

550E000

stack

page read and write

2F60000

trusted library allocation

page read and write

5B55000

heap

page read and write

FE2000

unkown

page readonly

5930000

heap

page execute and read and write

2DC0000

trusted library allocation

page execute and read and write

114A000

heap

page read and write

37DD000

trusted library allocation

page read and write

3241000

trusted library allocation

page read and write

1652000

heap

page read and write

DBA000

stack

page read and write

1120000

heap

page read and write

17C0000

trusted library allocation

page read and write

308A000

trusted library allocation

page read and write

55BD000

stack

page read and write

1156000

heap

page read and write

3210000

trusted library section

page read and write

3155000

trusted library allocation

page read and write

589E000

trusted library allocation

page read and write

14D0000

trusted library allocation

page read and write

2DD0000

heap

page read and write

5962000

trusted library allocation

page read and write

17B2000

trusted library allocation

page read and write

5D70000

heap

page read and write

6A1E000

stack

page read and write

58D5000

trusted library allocation

page read and write

37F6000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

320F000

stack

page read and write

30C8000

trusted library allocation

page read and write

5965000

trusted library allocation

page read and write

1618000

heap

page read and write

1350000

heap

page read and write

1507000

trusted library allocation

page execute and read and write

13DE000

stack

page read and write

1128000

heap

page read and write

553C000

stack

page read and write

4056000

trusted library allocation

page read and write

2F8A000

trusted library allocation

page read and write

116A000

stack

page read and write

689E000

heap

page read and write

6DF0000

trusted library allocation

page execute and read and write

6CFB000

trusted library allocation

page read and write

17B6000

trusted library allocation

page execute and read and write

2FB4000

trusted library allocation

page read and write

4C70000

trusted library allocation

page read and write

4060000

trusted library allocation

page read and write

3280000

trusted library allocation

page read and write

120A000

heap

page read and write

7AB0000

trusted library allocation

page execute and read and write

59FF000

stack

page read and write

403B000

trusted library allocation

page read and write

1780000

trusted library allocation

page read and write

5600000

heap

page execute and read and write

5D6E000

stack

page read and write

1794000

trusted library allocation

page read and write

3191000

trusted library allocation

page read and write

326E000

trusted library allocation

page read and write

30D8000

trusted library allocation

page read and write

30D4000

trusted library allocation

page read and write

5900000

trusted library allocation

page read and write

69DF000

stack

page read and write

58B2000

trusted library allocation

page read and write

11B5000

heap

page read and write

58D0000

trusted library allocation

page read and write

33C0000

heap

page read and write

33E0000

trusted library allocation

page read and write

6CF0000

trusted library allocation

page read and write

344A000

trusted library allocation

page read and write

5570000

heap

page read and write

10F7000

stack

page read and write

1460000

heap

page read and write

11E0000

heap

page read and write

813F000

stack

page read and write

310C000

trusted library allocation

page read and write

3238000

trusted library allocation

page read and write

5B1C000

trusted library allocation

page read and write

5FA0000

trusted library allocation

page read and write

DABE000

stack

page read and write

2F7B000

trusted library allocation

page read and write

139E000

stack

page read and write

3FD1000

trusted library allocation

page read and write

5510000

trusted library allocation

page read and write

DBBE000

stack

page read and write

3163000

trusted library allocation

page read and write

675E000

stack

page read and write

11B0000

heap

page read and write

32B1000

trusted library allocation

page read and write

17E0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

7AC0000

trusted library allocation

page read and write

6CE0000

trusted library allocation

page execute and read and write

14C0000

trusted library allocation

page read and write

31BC000

trusted library allocation

page read and write

D8BE000

stack

page read and write

D8FE000

stack

page read and write

17BA000

trusted library allocation

page execute and read and write

134E000

stack

page read and write

17CB000

trusted library allocation

page execute and read and write

3290000

trusted library allocation

page read and write

1790000

trusted library allocation

page read and write

17F0000

trusted library allocation

page execute and read and write

DDFF000

stack

page read and write

685E000

stack

page read and write

3274000

trusted library allocation

page read and write

6D50000

trusted library allocation

page read and write

6D20000

trusted library allocation

page read and write

59D0000

heap

page read and write

6860000

heap

page read and write

2F9D000

trusted library allocation

page read and write

3079000

trusted library allocation

page read and write

6D40000

trusted library allocation

page read and write

1AF0000

heap

page read and write

5AF0000

trusted library allocation

page read and write

311C000

trusted library allocation

page read and write

175E000

stack

page read and write

17AD000

trusted library allocation

page execute and read and write

5F9E000

stack

page read and write

30C5000

trusted library allocation

page read and write

5B60000

trusted library section

page read and write

3FF9000

trusted library allocation

page read and write

5B50000

heap

page read and write

5ADB000

stack

page read and write

7878000

heap

page read and write

5AE0000

trusted library allocation

page read and write

5980000

trusted library allocation

page read and write

1230000

heap

page read and write

16E8000

heap

page read and write

1800000

heap

page read and write

1480000

heap

page read and write

6D4B000

trusted library allocation

page read and write

2F70000

trusted library allocation

page read and write

3182000

trusted library allocation

page read and write

7C62000

trusted library allocation

page read and write

2FB0000

trusted library allocation

page read and write

6D3E000

trusted library allocation

page read and write

14F6000

trusted library allocation

page execute and read and write

14ED000

trusted library allocation

page execute and read and write

3147000

trusted library allocation

page read and write

1088000

unkown

page readonly

6CDF000

stack

page read and write

3081000

trusted library allocation

page read and write

699D000

stack

page read and write

756E000

heap

page read and write

312C000

trusted library allocation

page read and write

3114000

trusted library allocation

page read and write

406C000

trusted library allocation

page read and write

319F000

trusted library allocation

page read and write

58C0000

trusted library allocation

page read and write

5B17000

trusted library allocation

page read and write

2CD0000

trusted library allocation

page read and write

179D000

trusted library allocation

page execute and read and write

1637000

heap

page read and write

1610000

heap

page read and write

588B000

trusted library allocation

page read and write

59C0000

trusted library section

page readonly

5B70000

heap

page read and write

58A1000

trusted library allocation

page read and write

DCBE000

stack

page read and write

59E0000

heap

page read and write

FE0000

unkown

page readonly

6D80000

heap

page read and write

1644000

heap

page read and write

33BE000

stack

page read and write

1220000

heap

page read and write

58AD000

trusted library allocation

page read and write

6D10000

trusted library allocation

page execute and read and write

3128000

trusted library allocation

page read and write

317F000

trusted library allocation

page read and write

2F1E000

stack

page read and write

190F000

stack

page read and write

1510000

heap

page read and write

7B50000

trusted library allocation

page read and write

5950000

heap

page read and write

3096000

trusted library allocation

page read and write

7B3D000

stack

page read and write

4D0C000

trusted library allocation

page read and write

59F3000

heap

page read and write

17A0000

trusted library allocation

page read and write

14E0000

trusted library allocation

page read and write

59F0000

heap

page read and write

58A6000

trusted library allocation

page read and write

3280000

trusted library allocation

page read and write

32A0000

trusted library allocation

page execute and read and write

3087000

trusted library allocation

page read and write

2F91000

trusted library allocation

page read and write

160E000

stack

page read and write

14D4000

trusted library allocation

page read and write

3124000

trusted library allocation

page read and write

6D00000

trusted library allocation

page execute and read and write

1AF7000

heap

page read and write

1AE0000

trusted library allocation

page read and write

14DD000

trusted library allocation

page execute and read and write

1ADE000

stack

page read and write

5530000

trusted library allocation

page read and write

A31E000

trusted library allocation

page read and write

68BF000

heap

page read and write

34F2000

trusted library allocation

page read and write

324A000

trusted library allocation

page read and write

17C2000

trusted library allocation

page read and write

14D3000

trusted library allocation

page execute and read and write

6BDE000

stack

page read and write

34E5000

trusted library allocation

page read and write

30D0000

trusted library allocation

page read and write

3120000

trusted library allocation

page read and write

108C000

unkown

page readonly

5B19000

trusted library allocation

page read and write

1500000

trusted library allocation

page read and write

322E000

trusted library allocation

page read and write

150B000

trusted library allocation

page execute and read and write

5B40000

trusted library allocation

page execute and read and write

2F76000

trusted library allocation

page read and write

33F0000

heap

page execute and read and write

6D30000

trusted library allocation

page read and write

2F8E000

trusted library allocation

page read and write

7890000

heap

page read and write

5B20000

trusted library allocation

page execute and read and write

543C000

stack

page read and write

78D7000

heap

page read and write

5884000

trusted library allocation

page read and write

59A0000

trusted library allocation

page execute and read and write

5D80000

heap

page read and write

78C9000

heap

page read and write

14F7000

stack

page read and write

1502000

trusted library allocation

page read and write

161E000

heap

page read and write

7AAE000

stack

page read and write

14F2000

trusted library allocation

page read and write

7A6E000

stack

page read and write

3246000

trusted library allocation

page read and write

327A000

trusted library allocation

page read and write

11D0000

heap

page read and write

5B00000

trusted library allocation

page execute and read and write

2D1E000

stack

page read and write

17B0000

trusted library allocation

page read and write

3118000

trusted library allocation

page read and write

DCFE000

stack

page read and write

58E0000

trusted library allocation

page read and write

11F0000

heap

page read and write

3223000

trusted library allocation

page read and write

308D000

trusted library allocation

page read and write

2F96000

trusted library allocation

page read and write

4401000

trusted library allocation

page read and write

1225000

heap

page read and write

7FB50000

trusted library allocation

page execute and read and write

3401000

trusted library allocation

page read and write

There are 275 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DEKONT.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDEKONT.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
DEKONT.exe