Windows Analysis Report
OKJ2402PRT000025.PDF.scr.exe

Overview

General Information

Sample name: OKJ2402PRT000025.PDF.scr.exe
Analysis ID: 1430323
MD5: 699b4ee5b2ca5887e48214ff1528e25d
SHA1: ac35dfe4cdabbb884eabe1c36e990b4fe3edab37
SHA256: c9495cc11ac18b285ddfe9c82c76d789a5caa7179f7500cc5e6ec7d659ca8c54
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "prince@wmlimternational.com", "Password": "WiYR)pU7"}
Multi AV Scanner detection for submitted file
Source: OKJ2402PRT000025.PDF.scr.exe ReversingLabs: Detection: 60%
Machine Learning detection for sample
Source: OKJ2402PRT000025.PDF.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 4x nop then jmp 075DFE07h 0_2_075DF711
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 4x nop then jmp 075DFE07h 0_2_075DF870
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49704 -> 208.91.199.224:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.224 208.91.199.224
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49704 -> 208.91.199.224:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: us2.smtp.mailhostbox.com
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, 7KG.cs .Net Code: _1Sqy9

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: OKJ2402PRT000025.PDF.scr.exe, Form4.cs Large array initialization: : array initializer size 622173
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.321a0a8.5.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.5610000.12.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: OKJ2402PRT000025.PDF.scr.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0140D7CC 0_2_0140D7CC
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_02FD0518 0_2_02FD0518
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_02FD0508 0_2_02FD0508
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560F6E8 0_2_0560F6E8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560A970 0_2_0560A970
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560A0E8 0_2_0560A0E8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560F3D0 0_2_0560F3D0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560B3D8 0_2_0560B3D8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560C288 0_2_0560C288
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_056095C8 0_2_056095C8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_056095D8 0_2_056095D8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560E58A 0_2_0560E58A
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560DFE0 0_2_0560DFE0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560DFD2 0_2_0560DFD2
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560AE29 0_2_0560AE29
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560AE38 0_2_0560AE38
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560F6D8 0_2_0560F6D8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560A961 0_2_0560A961
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560D128 0_2_0560D128
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560D118 0_2_0560D118
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560C19E 0_2_0560C19E
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560A050 0_2_0560A050
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560E341 0_2_0560E341
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560E350 0_2_0560E350
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560F3C0 0_2_0560F3C0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560B3C8 0_2_0560B3C8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075DA6C8 0_2_075DA6C8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075DAF38 0_2_075DAF38
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075DAF28 0_2_075DAF28
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075DCFE0 0_2_075DCFE0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D1EC0 0_2_075D1EC0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D1EB0 0_2_075D1EB0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075DAB00 0_2_075DAB00
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D7B38 0_2_075D7B38
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D0BA0 0_2_075D0BA0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075DCAD0 0_2_075DCAD0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075DAAF0 0_2_075DAAF0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_026F9378 3_2_026F9378
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_026F4A98 3_2_026F4A98
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_026F3E80 3_2_026F3E80
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_026FCDC0 3_2_026FCDC0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_026F9DDD 3_2_026F9DDD
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_026F41C8 3_2_026F41C8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DBBCA0 3_2_05DBBCA0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DBDC55 3_2_05DBDC55
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB8C06 3_2_05DB8C06
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB2EF8 3_2_05DB2EF8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB3EF8 3_2_05DB3EF8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB5698 3_2_05DB5698
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB0040 3_2_05DB0040
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB9A98 3_2_05DB9A98
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB4FB8 3_2_05DB4FB8
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 3_2_05DB3608 3_2_05DB3608
Sample file is different than original file name gathered from version info
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2144153746.0000000005610000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2140529351.000000000126E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2145628633.000000000B5C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2141269562.000000000346C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamea4fc95b8-6cda-4231-99a4-d3be09dde129.exe4 vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004BCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamea4fc95b8-6cda-4231-99a4-d3be09dde129.exe4 vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2141269562.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310652271.0000000000938000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamea4fc95b8-6cda-4231-99a4-d3be09dde129.exe4 vs OKJ2402PRT000025.PDF.scr.exe
Source: OKJ2402PRT000025.PDF.scr.exe Binary or memory string: OriginalFilenameIJaI.exeL vs OKJ2402PRT000025.PDF.scr.exe
Uses 32bit PE files
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, 1UT6pzc0M.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, DnQOD3M.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, 01seU.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, iUDwvr7Gz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, XUu2qKyuF6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, aZathEIgR.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, l50VLEll22.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, l50VLEll22.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, VJnyNfUTwyxOShbVaD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.cs Security API names: _0020.SetAccessControl
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OKJ2402PRT000025.PDF.scr.exe.log Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Mutant created: NULL
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Mutant created: \Sessions\1\BaseNamedObjects\NLPSTWXecbdPrQGz
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: OKJ2402PRT000025.PDF.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OKJ2402PRT000025.PDF.scr.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File read: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: OKJ2402PRT000025.PDF.scr.exe, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.cs .Net Code: qNr4JmxxcH System.Reflection.Assembly.Load(byte[])
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.321a0a8.5.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.5610000.12.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0140CED8 pushfd ; retf 0_2_0140CED9
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560BCD5 pushad ; retf 0_2_0560BCD6
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_0560BCDF pushad ; retf 0_2_0560BCE0
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D6742 pushad ; iretd 0_2_075D6744
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D677E pushad ; iretd 0_2_075D677F
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D676A pushad ; iretd 0_2_075D676B
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D67DB pushad ; iretd 0_2_075D67E1
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D67C1 pushad ; iretd 0_2_075D67C7
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D67FC pushad ; iretd 0_2_075D67FE
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D67AD pushad ; iretd 0_2_075D67B3
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D2C2A pushfd ; iretd 0_2_075D2C2B
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D8BB1 push eax; iretd 0_2_075D8BD5
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Code function: 0_2_075D6828 pushad ; iretd 0_2_075D6829
Source: OKJ2402PRT000025.PDF.scr.exe Static PE information: section name: .text entropy: 7.875003692297347
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, o9QUNZzGMab5hfsmDG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pFXMf98hEv', 'kqRMYR8MTX', 'hlUM5thejG', 'QEYMP88qt4', 'GCiMXRBJro', 'i8rMMY3N1U', 'aC3MZl5IFU'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, OrEIGE23aHaRCRdfxu.cs High entropy of concatenated method names: 'atbux5txIF', 'kKNuB6hmSs', 'UAWuUj4wnF', 'xsUu2fT9iV', 'YoUuYFHG7M', 'tQ4u5KiTvK', 'k8QuPj34Pd', 'tTLuX8ucKA', 'hlNuMqBhyh', 'nfruZ2ax1k'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, DrT2sXuUxdTSiTy4Sa.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YyICgfPLY9', 'Bp2CnWVDd7', 'UtWCz1pqnB', 'tNb6Qvx994', 'M766Vsg29c', 'PjD6CkhHFJ', 'uva66V9l4D', 'YqhtgRcGGHQoF6vicRu'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ftCnBqhUFEqBk48DK8.cs High entropy of concatenated method names: 'dxmiDbQsGb', 'BXhimoTDEo', 'GcMiJfpeXw', 'Q2JixWT4xA', 'KJ2iy82gZw', 'rbwiBqT0Kv', 'q4Tiawfc7V', 'OxAiUudifO', 'TyFi2woM8x', 'DUIi9Kfd5W'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, ROhxK7GGQweYraqk0s.cs High entropy of concatenated method names: 'rLJ6sfNaP6', 'M7R6w7temx', 'fs26OkxbwL', 'mQC6u7St4u', 'B5d6RXTT0p', 't956pJsq5j', 'iXO6iDk0tJ', 'qb66GHu5BD', 'CjN6LXwft9', 'i266IlEoZa'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, bN7av1ns9ssivFyGs4.cs High entropy of concatenated method names: 'faPMVWAbFS', 'iA8M6q9vv0', 'lFoM4vYYQo', 'jyMMwnsVYC', 'GDPMOWhFAn', 'RuWMRnAkZN', 'GHCMpx5CUC', 'hjUXd5p2SD', 'oowXNvuDgu', 'EL9Xg2FecM'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, VJnyNfUTwyxOShbVaD.cs High entropy of concatenated method names: 'LxhOFSnOBp', 'YybOkvH9ea', 'KDQO1gM0OL', 'RNgOc8W0xM', 'diJOerEs2o', 'c2AO8Tdnyk', 'pjmOd2WwxE', 'vYFON47NT1', 'hVJOgSHous', 'F3rOn45Ogt'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, PwsR084bq7CxP2pdKK.cs High entropy of concatenated method names: 'LLdViJnyNf', 'wwyVGxOShb', 'K3aVIHaRCR', 'VfxV0u5snQ', 'V74VYATIZZ', 'wo3V5JG4mN', 'dmkOBy7ddY9V4acWox', 'O0LR7etVxMVcv3rtyR', 'DhEVVpjthE', 'IiRV6D7T3Z'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, STVktiVQ6MhXwwOBQNp.cs High entropy of concatenated method names: 'LrPMDuZJVe', 'AWOMmUJCOy', 'RQvMJtbJsk', 'FBqMxTOSaw', 'iTgMytFoq7', 'JvKMBFp4Ft', 'sLyMaxZSgv', 'nbLMUGQOcS', 'pcYM2SlH0v', 'LFWM908Sst'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, lZZHo3AJG4mNl7DIiZ.cs High entropy of concatenated method names: 'eLOps102do', 'tcfpO0jA9h', 'zwqpRuwAhF', 'L7CpiUF9rw', 'kYQpGo7Udj', 'RxfRekRS46', 'H83R80lRCP', 'r5QRd8tFN9', 'vh9RNtnKvq', 'k6cRgDAyJg'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, G27Rnp1YJ8quULBYkT.cs High entropy of concatenated method names: 'ToString', 'e3V5KhbcRj', 'D3W5S646nD', 'TTA5b79Ybb', 'lbp5t1ygLJ', 'icb5ls8rQU', 'rAv53ygMr7', 'Rtk5ETnGel', 'V4B5j95vPX', 'Ue35hY26W6'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, WQCT5LOZ5bEP2qW0tv.cs High entropy of concatenated method names: 'Dispose', 'Df1VgKNIu5', 'o92CSquol6', 'urNIIcUk6d', 'P1UVnTdTL9', 'huQVzMLPjb', 'ProcessDialogKey', 'EjSCQRH4cB', 'YImCVkIBWV', 'ET7CCCN7av'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, GRH4cBgnImkIBWV2T7.cs High entropy of concatenated method names: 'tnRXAI89KE', 'wPFXS8GsuY', 'ysJXbDA7AX', 'TsPXtfISUe', 'HtBXFCPDXr', 'f32XlqmxUp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, fGmS2sVV494Lwchdg6I.cs High entropy of concatenated method names: 'ToString', 'WvRZ6O6UVc', 'BQgZ4ithjV', 'zxhZsZ05Pb', 'vVtZwBbnjG', 'ogrZO80c4p', 'KGYZuiMq7L', 'tD0ZRhS2ep', 'tuEU47ZjTCx0Kk8SGad', 'KTvYZmZBEu3lF5kSeIS'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, MKxpR4ChftOiJFetac.cs High entropy of concatenated method names: 'z4bJYhwms', 'FrbxK7ZWb', 'QUaBwwrns', 'yN3a2BcUd', 'kbo2Nc3uW', 'f2r95IWus', 'XARTbWgd1iU01jU8It', 'aF7f8qSGNRpWbX9AeO', 'lnAXtIWts', 'iJ6ZpAttL'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, SUTdTLN9RuQMLPjb2j.cs High entropy of concatenated method names: 'sT9XwrovQg', 'zuVXOZQDRG', 'PhQXuKty2T', 'YlJXR4p3Sf', 'vT6XpqgD6r', 'rvMXifnYLx', 'hfDXGihDkY', 'gs2XLdZxr9', 'kSRXIBQRQ6', 'DlQX0LnyUk'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, c1mLJ2V6Vc0fKfRx1ZD.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wHZZFkmnSD', 'TSYZkQm2VZ', 'DGDZ1KrM3M', 'ILZZchN1SN', 'LKHZe3p4FM', 'HVgZ8BQk1o', 'i5nZd9Isf4'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, YUbbHycOerA829UXOL.cs High entropy of concatenated method names: 'pyUPIxUpVn', 'vljP0lE9Ly', 'ToString', 'CmgPwM1ZcA', 'mtUPO75EvK', 'NFePuXSbwu', 'LChPR8w1lJ', 'MiYPp6ssNJ', 'MFWPiilFas', 'FgyPGnCfIi'
Source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4e511c0.8.raw.unpack, aj6ydVvaEnRiCZcU1v.cs High entropy of concatenated method names: 'FBIfUE1luO', 'P4If26sKlV', 'XtAfAaEBnw', 'epifSR16AG', 'MBFftDSsdO', 'z4LflKsHvQ', 'C0bfEN5vnV', 'fs2fjIZP7q', 'L4DfqL6WwV', 'LcefKYwErs'

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.scr Static PE information: OKJ2402PRT000025.PDF.scr.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 13C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 31F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 8DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 9DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 9FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: AFD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: B650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: C650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: D650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 2690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 28F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: 2810000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Window / User API: threadDelayed 938 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Window / User API: threadDelayed 4435 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 2360 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 6444 Thread sleep count: 938 > 30 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 6428 Thread sleep count: 4435 > 30 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98151s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -97110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe TID: 3212 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99860 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99734 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99516 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99406 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99297 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99188 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98828 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98719 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98375 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98266 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98151 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 98047 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97938 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97813 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97360 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97235 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 97110 Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Memory written: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Process created: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe "C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3312450936.000000000296A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 6656, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 6656, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.OKJ2402PRT000025.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f61ec8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OKJ2402PRT000025.PDF.scr.exe.4f274a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3312450936.000000000296A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3312450936.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 5088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OKJ2402PRT000025.PDF.scr.exe PID: 6656, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.199.224
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.224 true