Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe

"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7384
Target ID:	0
Parent PID:	4084
Name:	Proforma Invoice - Well Ergon.exe
Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Commandline:	"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"
Size:	354816
MD5:	D6EF5B4C4627DC06ABABA7F1276EDC79
Time:	10:43:18
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7c0000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sample has a suspicious name (potential lure to open the executable)	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe

"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7448
Target ID:	2
Parent PID:	7384
Name:	Proforma Invoice - Well Ergon.exe
Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Commandline:	"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"
Size:	354816
MD5:	D6EF5B4C4627DC06ABABA7F1276EDC79
Time:	10:43:18
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x70000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sample has a suspicious name (potential lure to open the executable)	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe

"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7600
Target ID:	6
Parent PID:	7384
Name:	Proforma Invoice - Well Ergon.exe
Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Commandline:	"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"
Size:	354816
MD5:	D6EF5B4C4627DC06ABABA7F1276EDC79
Time:	10:43:19
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x110000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sample has a suspicious name (potential lure to open the executable)	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe

"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7656
Target ID:	9
Parent PID:	7384
Name:	Proforma Invoice - Well Ergon.exe
Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Commandline:	"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"
Size:	354816
MD5:	D6EF5B4C4627DC06ABABA7F1276EDC79
Time:	10:43:21
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb0000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sample has a suspicious name (potential lure to open the executable)	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe

"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7716
Target ID:	12
Parent PID:	7384
Name:	Proforma Invoice - Well Ergon.exe
Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Commandline:	"C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe"
Size:	354816
MD5:	D6EF5B4C4627DC06ABABA7F1276EDC79
Time:	10:43:22
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	376832
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sample has a suspicious name (potential lure to open the executable)	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 80

Details

Is windows:	true
Is dropped:	false
PID:	7528
Target ID:	5
Parent PID:	7448
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 80
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	10:43:18
Date:	16/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x990000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 80

Details

Is windows:	true
Is dropped:	false
PID:	7632
Target ID:	8
Parent PID:	7600
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 80
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	10:43:20
Date:	16/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x990000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7656 -s 80

Details

Is windows:	true
Is dropped:	false
PID:	7688
Target ID:	11
Parent PID:	7656
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7656 -s 80
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	10:43:21
Date:	16/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x990000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	12
From Memory:	false
Current Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Source:	Proforma Invoice - Well Ergon.exe, 00000000.00000002.1434279786.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, Proforma Invoice - Well Ergon.exe, 00000000.00000002.1434565759.0000000003B74000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice - Well Ergon.exe, 0000000C.00000002.3858276820.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Proforma Invoice - Well Ergon.exe, 0000000C.00000002.3860396547.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Source:	Proforma Invoice - Well Ergon.exe, 00000000.00000002.1434279786.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, Proforma Invoice - Well Ergon.exe, 00000000.00000002.1434565759.0000000003B74000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice - Well Ergon.exe, 0000000C.00000002.3858276820.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	12
From Memory:	true
Current Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Source:	Proforma Invoice - Well Ergon.exe, 0000000C.00000002.3860396547.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	12
From Memory:	true
Current Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Source:	Proforma Invoice - Well Ergon.exe, 0000000C.00000002.3860396547.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.iaa-airferight.com

unknown

Domains

Name

Malicious

mail.iaa-airferight.com

46.175.148.58

Details

Name:	mail.iaa-airferight.com
IP:	46.175.148.58
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

46.175.148.58

mail.iaa-airferight.com

Ukraine

Details

IP:	46.175.148.58
TargetID:	12
Current Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Country:	Ukraine
Countrycode:	UKR
ASN number:	56394
ASN name:	ASLAGIDKOM-NETUA
Private:	false
Domain:	mail.iaa-airferight.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	12
Current Path:	C:\Users\user\Desktop\Proforma Invoice - Well Ergon.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proforma Invoice - Well Ergon_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

2B1C000

trusted library allocation

page read and write

2AF1000

trusted library allocation

page read and write

2AD0000

direct allocation

page execute and read and write

3B74000

trusted library allocation

page read and write

648E000

stack

page read and write

F86000

heap

page read and write

D8D000

stack

page read and write

66E0000

trusted library allocation

page read and write

4F42000

trusted library allocation

page read and write

F0E000

heap

page read and write

55FD000

stack

page read and write

634E000

stack

page read and write

7FB90000

trusted library allocation

page execute and read and write

11BE000

stack

page read and write

AF9000

stack

page read and write

2C52000

trusted library allocation

page read and write

8AC000

stack

page read and write

F2D000

heap

page read and write

2812000

trusted library allocation

page read and write

F20000

trusted library allocation

page read and write

280A000

trusted library allocation

page execute and read and write

2A8E000

stack

page read and write

F43000

heap

page read and write

7C0000

unkown

page readonly

1130000

trusted library allocation

page read and write

54EF000

stack

page read and write

2B60000

heap

page read and write

BCB000

heap

page read and write

63D9000

heap

page read and write

51A0000

heap

page execute and read and write

EF4000

trusted library allocation

page read and write

6A70000

trusted library allocation

page execute and read and write

7FA000

stack

page read and write

4F60000

trusted library allocation

page read and write

B60000

heap

page read and write

E4E000

stack

page read and write

5690000

trusted library allocation

page read and write

117E000

stack

page read and write

6350000

heap

page read and write

6AA0000

trusted library allocation

page read and write

F34000

trusted library allocation

page read and write

6590000

trusted library allocation

page execute and read and write

111B000

trusted library allocation

page execute and read and write

53EE000

stack

page read and write

EEF000

stack

page read and write

D00000

heap

page read and write

573E000

stack

page read and write

2AD7000

trusted library allocation

page read and write

11D0000

trusted library allocation

page read and write

C65000

heap

page read and write

6392000

heap

page read and write

4FD000

stack

page read and write

6A50000

trusted library allocation

page read and write

28BC000

stack

page read and write

2B18000

trusted library allocation

page read and write

518E000

stack

page read and write

BDD000

heap

page read and write

580D000

stack

page read and write

B97000

heap

page read and write

50F0000

trusted library allocation

page read and write

7C2000

unkown

page readonly

27FD000

trusted library allocation

page execute and read and write

65B0000

trusted library allocation

page read and write

F3D000

trusted library allocation

page execute and read and write

CB5000

heap

page read and write

2B32000

trusted library allocation

page read and write

DCE000

stack

page read and write

F30000

trusted library allocation

page read and write

15C000

stack

page read and write

522C000

stack

page read and write

4F22000

trusted library allocation

page read and write

2B20000

heap

page execute and read and write

53AE000

stack

page read and write

65FD000

stack

page read and write

694E000

stack

page read and write

11C0000

trusted library allocation

page execute and read and write

4F1B000

trusted library allocation

page read and write

6368000

heap

page read and write

688F000

stack

page read and write

514E000

stack

page read and write

63D2000

heap

page read and write

BDA000

heap

page read and write

1FC000

stack

page read and write

6DC0000

heap

page read and write

E0E000

stack

page read and write

1117000

trusted library allocation

page execute and read and write

4F50000

trusted library allocation

page read and write

6A6B000

trusted library allocation

page read and write

4F3D000

trusted library allocation

page read and write

19D000

stack

page read and write

2B1A000

trusted library allocation

page read and write

2C50000

trusted library allocation

page read and write

624E000

stack

page read and write

2800000

trusted library allocation

page read and write

1110000

trusted library allocation

page read and write

63C9000

heap

page read and write

2AA1000

trusted library allocation

page read and write

28D8000

trusted library allocation

page read and write

2802000

trusted library allocation

page read and write

55BF000

stack

page read and write

B90000

heap

page read and write

52AE000

stack

page read and write

2B24000

trusted library allocation

page read and write

F40000

heap

page read and write

65B7000

trusted library allocation

page read and write

DDD000

trusted library allocation

page execute and read and write

2AE0000

trusted library allocation

page read and write

C3C000

heap

page read and write

2980000

trusted library allocation

page read and write

DE5000

heap

page read and write

66E7000

trusted library allocation

page read and write

4FE000

stack

page read and write

B70000

heap

page read and write

2B34000

trusted library allocation

page read and write

66D0000

heap

page read and write

3B71000

trusted library allocation

page read and write

2990000

heap

page execute and read and write

287E000

stack

page read and write

CF0000

heap

page read and write

50E0000

heap

page execute and read and write

4F36000

trusted library allocation

page read and write

110A000

trusted library allocation

page execute and read and write

512C000

stack

page read and write

C10000

heap

page read and write

DD4000

trusted library allocation

page read and write

10FE000

stack

page read and write

4F00000

trusted library allocation

page read and write

BA8000

heap

page read and write

2AC0000

direct allocation

page execute and read and write

104E000

stack

page read and write

6A4D000

stack

page read and write

56FD000

stack

page read and write

4F2E000

trusted library allocation

page read and write

65AD000

trusted library allocation

page read and write

2806000

trusted library allocation

page execute and read and write

6A60000

trusted library allocation

page read and write

F00000

heap

page read and write

4FD000

stack

page read and write

620000

heap

page read and write

5670000

heap

page read and write

6AB0000

trusted library allocation

page execute and read and write

9A9000

stack

page read and write

577E000

stack

page read and write

BD7000

heap

page read and write

DD3000

trusted library allocation

page execute and read and write

2AED000

trusted library allocation

page read and write

4F31000

trusted library allocation

page read and write

4EE0000

heap

page read and write

6AC0000

heap

page read and write

F0A000

heap

page read and write

DE0000

heap

page read and write

2C3C000

trusted library allocation

page read and write

CB0000

heap

page read and write

1100000

trusted library allocation

page read and write

2830000

trusted library allocation

page read and write

3AC9000

trusted library allocation

page read and write

2A9E000

stack

page read and write

BBE000

heap

page read and write

1B0000

heap

page read and write

27F0000

trusted library allocation

page read and write

281B000

trusted library allocation

page execute and read and write

3B09000

trusted library allocation

page read and write

5F8E000

stack

page read and write

4D0E000

stack

page read and write

2B71000

trusted library allocation

page read and write

BA0000

heap

page read and write

590D000

stack

page read and write

65A0000

trusted library allocation

page read and write

66CE000

stack

page read and write

4FB0000

heap

page read and write

2970000

trusted library allocation

page execute and read and write

4FB4000

heap

page read and write

28C0000

heap

page read and write

818000

unkown

page readonly

2817000

trusted library allocation

page execute and read and write

4F1E000

trusted library allocation

page read and write

2815000

trusted library allocation

page execute and read and write

F36000

heap

page read and write

2810000

trusted library allocation

page read and write

5698000

trusted library allocation

page read and write

557D000

stack

page read and write

EF0000

trusted library allocation

page read and write

2A90000

heap

page read and write

F33000

trusted library allocation

page execute and read and write

4B9E000

stack

page read and write

3AA1000

trusted library allocation

page read and write

668E000

stack

page read and write

400000

remote allocation

page execute and read and write

566D000

stack

page read and write

F47000

heap

page read and write

DD0000

trusted library allocation

page read and write

11E0000

heap

page read and write

DC0000

trusted library allocation

page read and write

4FC0000

heap

page read and write

530000

heap

page read and write

D4E000

stack

page read and write

4F10000

trusted library allocation

page read and write

658F000

stack

page read and write

There are 189 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Proforma Invoice - Well Ergon.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportProforma Invoice - Well Ergon.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Proforma Invoice - Well Ergon.exe