Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

OKJ2402PRT000025.PDF.scr.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.865188334502124
Filename:	OKJ2402PRT000025.PDF.scr.exe
Filesize:	722432
MD5:	699b4ee5b2ca5887e48214ff1528e25d
SHA1:	ac35dfe4cdabbb884eabe1c36e990b4fe3edab37
SHA256:	c9495cc11ac18b285ddfe9c82c76d789a5caa7179f7500cc5e6ec7d659ca8c54
SHA512:	07afcdc98b6bbfce341a97c871f8c004890def6ca19a169401583ae1afedc5b330a6456a43b80a0a3c1c1b9cc2f7a680beda0a2be979a1bd960a187f420b962f
SSDEEP:	12288:Do7gHK0cpSDviH6VSx/Q67K4xAgSDGQr0UehDkIb6JjXMjTFg5:ljwQ67K4C9DjrYhD6XoTF
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%f................................. ........@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OKJ2402PRT000025.PDF.scr.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OKJ2402PRT000025.PDF.scr.exe.log
Category:	dropped
Dump:	OKJ2402PRT000025.PDF.scr.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe

"C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5088
Target ID:	0
Parent PID:	4004
Name:	OKJ2402PRT000025.PDF.scr.exe
Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Commandline:	"C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
Size:	722432
MD5:	699B4EE5B2CA5887E48214FF1528E25D
Time:	14:21:49
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb90000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe

"C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6656
Target ID:	3
Parent PID:	5088
Name:	OKJ2402PRT000025.PDF.scr.exe
Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Commandline:	"C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe"
Size:	722432
MD5:	699B4EE5B2CA5887E48214FF1528E25D
Time:	14:21:55
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4c0000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#

unknown

Details

Name:	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Source:	OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ocsp.sectigo.com0A

unknown

Details

Name:	http://ocsp.sectigo.com0A
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Source:	OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://sectigo.com/CPS0

unknown

Details

Name:	https://sectigo.com/CPS0
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Source:	OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310849822.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3317255897.00000000063E2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Source:	OKJ2402PRT000025.PDF.scr.exe, 00000000.00000002.2142292089.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3310408546.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://us2.smtp.mailhostbox.com

unknown

Details

Name:	http://us2.smtp.mailhostbox.com
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Source:	OKJ2402PRT000025.PDF.scr.exe, 00000003.00000002.3312450936.000000000293E000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

us2.smtp.mailhostbox.com

208.91.199.224

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.224
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.91.199.224

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.199.224
TargetID:	3
Current Path:	C:\Users\user\Desktop\OKJ2402PRT000025.PDF.scr.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

296A000

trusted library allocation

page read and write

293E000

trusted library allocation

page read and write

28F1000

trusted library allocation

page read and write

4F27000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

609D000

stack

page read and write

11D0000

heap

page read and write

26D0000

heap

page read and write

540E000

stack

page read and write

2FC0000

trusted library allocation

page read and write

EF8E000

stack

page read and write

2958000

trusted library allocation

page read and write

28C0000

trusted library allocation

page read and write

1370000

trusted library allocation

page read and write

3919000

trusted library allocation

page read and write

BF4000

heap

page read and write

DD6000

stack

page read and write

5D90000

trusted library allocation

page read and write

EE4E000

stack

page read and write

4E34000

trusted library allocation

page read and write

5E00000

trusted library allocation

page execute and read and write

65E0000

trusted library allocation

page read and write

28B0000

trusted library allocation

page read and write

123D000

trusted library allocation

page execute and read and write

2972000

trusted library allocation

page read and write

73DF000

stack

page read and write

4AE3000

trusted library allocation

page read and write

DBE000

stack

page read and write

75C0000

trusted library allocation

page read and write

58C0000

heap

page execute and read and write

5610000

trusted library section

page read and write

4E56000

trusted library allocation

page read and write

64DE000

stack

page read and write

1400000

trusted library allocation

page execute and read and write

B92000

unkown

page readonly

2FF8000

trusted library allocation

page read and write

75BE000

stack

page read and write

16A0000

heap

page read and write

5630000

heap

page read and write

65DF000

stack

page read and write

E10000

heap

page read and write

4A47000

trusted library allocation

page read and write

4A95000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

1040000

heap

page read and write

72DE000

stack

page read and write

3580000

trusted library allocation

page read and write

74BE000

stack

page read and write

2F70000

trusted library allocation

page read and write

1410000

trusted library allocation

page read and write

5D80000

trusted library allocation

page read and write

B64B000

trusted library allocation

page read and write

2616000

trusted library allocation

page execute and read and write

5570000

heap

page read and write

E68E000

stack

page read and write

6620000

trusted library allocation

page execute and read and write

ACE000

unkown

page read and write

1050000

heap

page read and write

1317000

heap

page read and write

2FD0000

trusted library allocation

page execute and read and write

5600000

trusted library allocation

page execute and read and write

7EE20000

trusted library allocation

page execute and read and write

2625000

trusted library allocation

page execute and read and write

261A000

trusted library allocation

page execute and read and write

280E000

stack

page read and write

31E0000

heap

page execute and read and write

4FC0000

heap

page execute and read and write

B640000

trusted library allocation

page read and write

41F9000

trusted library allocation

page read and write

E98F000

stack

page read and write

EACE000

stack

page read and write

10B5000

heap

page read and write

126E000

heap

page read and write

5DA0000

trusted library allocation

page read and write

63A0000

heap

page read and write

6900000

heap

page read and write

55A0000

trusted library allocation

page read and write

4E36000

trusted library allocation

page read and write

163F000

stack

page read and write

28D0000

trusted library allocation

page read and write

B5C0000

trusted library section

page read and write

346C000

trusted library allocation

page read and write

293C000

trusted library allocation

page read and write

12A2000

heap

page read and write

268E000

stack

page read and write

2FB0000

heap

page read and write

1240000

trusted library allocation

page read and write

5580000

trusted library allocation

page execute and read and write

326D000

trusted library allocation

page read and write

7610000

trusted library allocation

page read and write

1260000

heap

page read and write

7690000

trusted library allocation

page read and write

1344000

heap

page read and write

3190000

trusted library allocation

page read and write

262B000

trusted library allocation

page execute and read and write

13FC000

stack

page read and write

2622000

trusted library allocation

page read and write

EB0D000

stack

page read and write

1341000

heap

page read and write

C31000

heap

page read and write

55F0000

trusted library allocation

page read and write

55E0000

heap

page read and write

1224000

trusted library allocation

page read and write

BC8000

heap

page read and write

4ECC000

stack

page read and write

26F0000

trusted library allocation

page execute and read and write

125B000

trusted library allocation

page execute and read and write

4E70000

trusted library allocation

page read and write

A50000

heap

page read and write

55D5000

heap

page read and write

5EF0000

trusted library allocation

page read and write

1220000

trusted library allocation

page read and write

28D4000

trusted library allocation

page read and write

2620000

trusted library allocation

page read and write

7612000

trusted library allocation

page read and write

2818000

trusted library allocation

page read and write

73E0000

trusted library section

page read and write

63B0000

heap

page read and write

153E000

stack

page read and write

4E30000

trusted library allocation

page read and write

166D000

trusted library allocation

page read and write

75D0000

trusted library allocation

page execute and read and write

EC10000

heap

page read and write

BE8000

heap

page read and write

1242000

trusted library allocation

page read and write

31D0000

heap

page read and write

77A2000

trusted library allocation

page read and write

5EE0000

trusted library allocation

page read and write

59D0000

heap

page read and write

1430000

heap

page read and write

7F2C0000

trusted library allocation

page execute and read and write

938000

stack

page read and write

260D000

trusted library allocation

page execute and read and write

839000

stack

page read and write

A70000

heap

page read and write

4EF3000

heap

page read and write

1250000

trusted library allocation

page read and write

2627000

trusted library allocation

page execute and read and write

EC0D000

stack

page read and write

4E62000

trusted library allocation

page read and write

E9CE000

stack

page read and write

2700000

heap

page read and write

1640000

trusted library allocation

page read and write

2610000

trusted library allocation

page read and write

B90000

unkown

page readonly

122D000

trusted library allocation

page execute and read and write

C55000

heap

page read and write

11CE000

stack

page read and write

59E0000

heap

page read and write

5BD0000

trusted library section

page read and write

5DB0000

trusted library allocation

page execute and read and write

BC0000

heap

page read and write

2612000

trusted library allocation

page read and write

1230000

trusted library allocation

page read and write

1690000

trusted library allocation

page read and write

5B5E000

stack

page read and write

164B000

trusted library allocation

page read and write

31C0000

trusted library section

page readonly

6610000

heap

page read and write

556B000

stack

page read and write

165E000

trusted library allocation

page read and write

2FE0000

heap

page read and write

520C000

stack

page read and write

E88E000

stack

page read and write

B647000

trusted library allocation

page read and write

12EE000

heap

page read and write

318C000

stack

page read and write

5633000

heap

page read and write

41F1000

trusted library allocation

page read and write

E6E0000

trusted library allocation

page execute and read and write

EE8E000

stack

page read and write

54A9000

trusted library allocation

page read and write

1223000

trusted library allocation

page execute and read and write

54A0000

trusted library allocation

page read and write

38F1000

trusted library allocation

page read and write

59CD000

stack

page read and write

530F000

stack

page read and write

2600000

trusted library allocation

page read and write

5ADE000

heap

page read and write

25E0000

trusted library allocation

page read and write

1666000

trusted library allocation

page read and write

3953000

trusted library allocation

page read and write

4BCE000

trusted library allocation

page read and write

4E3E000

trusted library allocation

page read and write

4FBE000

stack

page read and write

2F4E000

stack

page read and write

E6CE000

stack

page read and write

131B000

heap

page read and write

353C000

trusted library allocation

page read and write

4F3E000

stack

page read and write

63EF000

heap

page read and write

5BE0000

trusted library section

page read and write

5DA6000

trusted library allocation

page read and write

2F50000

trusted library allocation

page read and write

109E000

stack

page read and write

16A7000

heap

page read and write

4F7E000

stack

page read and write

1246000

trusted library allocation

page execute and read and write

4E3B000

trusted library allocation

page read and write

5EE7000

trusted library allocation

page read and write

1210000

trusted library allocation

page read and write

55D0000

heap

page read and write

1295000

heap

page read and write

ED4D000

stack

page read and write

10B0000

heap

page read and write

A75000

heap

page read and write

1661000

trusted library allocation

page read and write

970000

heap

page read and write

4EF0000

heap

page read and write

1696000

trusted library allocation

page read and write

31F1000

trusted library allocation

page read and write

4E4E000

trusted library allocation

page read and write

13BE000

stack

page read and write

3271000

trusted library allocation

page read and write

4D30000

heap

page read and write

36FE000

trusted library allocation

page read and write

4E51000

trusted library allocation

page read and write

2640000

trusted library allocation

page read and write

71A0000

heap

page read and write

130B000

heap

page read and write

5D8C000

trusted library allocation

page read and write

49ED000

stack

page read and write

26CC000

stack

page read and write

5590000

trusted library allocation

page read and write

4E4A000

trusted library allocation

page read and write

4E5D000

trusted library allocation

page read and write

12A0000

heap

page read and write

5AD0000

heap

page read and write

25F4000

trusted library allocation

page read and write

4EED000

trusted library allocation

page read and write

CDA000

stack

page read and write

4D40000

heap

page read and write

5E9F000

stack

page read and write

5EDE000

stack

page read and write

25F3000

trusted library allocation

page execute and read and write

124A000

trusted library allocation

page execute and read and write

1680000

trusted library allocation

page read and write

25F0000

trusted library allocation

page read and write

1257000

trusted library allocation

page execute and read and write

63E2000

heap

page read and write

1252000

trusted library allocation

page read and write

2966000

trusted library allocation

page read and write

4E42000

trusted library allocation

page read and write

25FD000

trusted library allocation

page execute and read and write

FB0000

heap

page read and write

A78000

heap

page read and write

28E0000

heap

page execute and read and write

1420000

trusted library allocation

page read and write

5A00000

heap

page read and write

BF7000

heap

page read and write

5DFD000

stack

page read and write

There are 241 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
OKJ2402PRT000025.PDF.scr.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOKJ2402PRT000025.PDF.scr.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
OKJ2402PRT000025.PDF.scr.exe