Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe

Overview

General Information

Sample name:CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
Analysis ID:1670334
MD5:9cad466dda9c3a4278f28e6451159b96
SHA1:9b89998ada7d252939b6ed05e040ea0ca4dfea1b
SHA256:dfae325223b17a4c65ea52dd31263dca38c50b48e814696ce39e871fffce8cd5
Tags:exeuser-James_inthe_box
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{
  "Exfil Mode": "FTP",
  "Host": "ftp://ftp.dorasanat.com.tr",
  "Username": "useradmin@dorasanat.com.tr",
  "Password": "#9e{{YWsO?~I"
}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.2532310991.0000000002A67000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3283d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x328af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x32939:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x329cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32a35:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x32aa7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32b3d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x32bcd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x2f983:$s2: GetPrivateProfileString
                • 0x2ef7a:$s3: get_OSFullName
                • 0x30705:$s5: remove_Key
                • 0x308e8:$s5: remove_Key
                • 0x317e8:$s6: FtpWebRequest
                • 0x3281f:$s7: logins
                • 0x32d91:$s7: logins
                • 0x35a74:$s7: logins
                • 0x35b54:$s7: logins
                • 0x374a9:$s7: logins
                • 0x366ee:$s9: 1.85 (Hash, version 2, native byte-order)
                5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  • AV Detection
                  • Compliance
                  • Networking
                  • Key, Mouse, Clipboard, Microphone and Screen Capturing
                  • System Summary
                  • Data Obfuscation
                  • Hooking and other Techniques for Hiding and Protection
                  • Malware Analysis System Evasion
                  • Anti Debugging
                  • HIPS / PFW / Operating System Protection Evasion
                  • Language, Device and Operating System Detection
                  • Stealing of Sensitive Information
                  • Remote Access Functionality

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeAvira: detected
                  Source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.dorasanat.com.tr", "Username": "useradmin@dorasanat.com.tr", "Password": "#9e{{YWsO?~I"}
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeVirustotal: Detection: 41%Perma Link
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeReversingLabs: Detection: 50%
                  Source: Submited SampleNeural Call Log Analysis: 97.4%
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2531258894.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, xljC6U.cs.Net Code: YPw7g

                  System Summary

                  barindex
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 4_2_011C3E284_2_011C3E28
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 4_2_011CE1C44_2_011CE1C4
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 4_2_011C70184_2_011C7018
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_00FEB8925_2_00FEB892
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_00FE4AC85_2_00FE4AC8
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_00FE3EB05_2_00FE3EB0
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_00FE41F85_2_00FE41F8
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_067934585_2_06793458
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_067959A85_2_067959A8
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_067900405_2_06790040
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_067900075_2_06790007
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_067952C05_2_067952C0
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef45b853c-c9d3-495e-9acb-d41a4a90029f.exeP vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1291568094.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1293479689.00000000030BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef45b853c-c9d3-495e-9acb-d41a4a90029f.exeP vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1298950033.00000000072B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef45b853c-c9d3-495e-9acb-d41a4a90029f.exeP vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530703586.0000000000B59000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeBinary or memory string: OriginalFilenameamrl.exe0 vs CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, 9O2OLI.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, hdYUG.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, LGBZ4N2f.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, F8OmG.csCryptographic APIs: 'CreateDecryptor'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, Bgo.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, k7FmsUgnvL.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, JI5WDtG4R4ehQaWemK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, JI5WDtG4R4ehQaWemK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, JI5WDtG4R4ehQaWemK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, JI5WDtG4R4ehQaWemK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, TH0lKuoIalnFMu4GHl.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, JI5WDtG4R4ehQaWemK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, JI5WDtG4R4ehQaWemK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMutant created: NULL
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002B39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeVirustotal: Detection: 41%
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeReversingLabs: Detection: 50%
                  Source: unknownProcess created: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe "C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe"
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess created: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe "C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe"
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess created: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe "C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, TH0lKuoIalnFMu4GHl.cs.Net Code: nBZHYiuIK3 System.Reflection.Assembly.Load(byte[])
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.3d92ec8.2.raw.unpack, MainForm.cs.Net Code: _200F_206B_206F_200F_206D_206E_202A_200F_200C_202A_200F_206E_206A_206D_200C_202A_206D_200E_206B_200C_202A_202C_206A_202B_206B_206C_206E_206A_202B_206A_200E_202A_206C_202D_206C_200E_202E_206E_202D_200E_202E System.Reflection.Assembly.Load(byte[])
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, TH0lKuoIalnFMu4GHl.cs.Net Code: nBZHYiuIK3 System.Reflection.Assembly.Load(byte[])
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, TH0lKuoIalnFMu4GHl.cs.Net Code: nBZHYiuIK3 System.Reflection.Assembly.Load(byte[])
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.57d0000.4.raw.unpack, MainForm.cs.Net Code: _200F_206B_206F_200F_206D_206E_202A_200F_200C_202A_200F_206E_206A_206D_200C_202A_206D_200E_206B_200C_202A_202C_206A_202B_206B_206C_206E_206A_202B_206A_200E_202A_206C_202D_206C_200E_202E_206E_202D_200E_202E System.Reflection.Assembly.Load(byte[])
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeStatic PE information: section name: .text entropy: 7.87379584283448
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, jKTZMLhNT1chWXG3hg.csHigh entropy of concatenated method names: 'rEqceUU9dcuIgusqZfe', 'HjCQSsUa26dJ8GXZRZO', 'UVo5lxD5oC', 'WNv5E31ubP', 'ewC51YDrc2', 'xyMERtUieAkAi2L8CQG', 'AGERlYUd6Ht47g77NNj'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, QH1qDrXGvlvpO0rKCh.csHigh entropy of concatenated method names: 'Dispose', 'GHYQjyW2AO', 'h1YFhmhyOy', 'pVXM4HR5fw', 'grkQTdsoX3', 'SwsQzbHbCx', 'ProcessDialogKey', 'nBQFV8ThgL', 'MEoFQZxR6l', 'JXGFF6a1kj'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, Mv0Bs3WblbG5I0Bsbx.csHigh entropy of concatenated method names: 'vVG4GOdVc7', 'Bl34pSUyJ7', 'tEY4BCtuj0', 'cNI4h0f2h5', 'gAv4Rsbj0T', 'bOZ4UkeVyc', 'djE4iHtwnv', 'SLa4OVwlVi', 'dOm4JshpYg', 'RNN46AVUbJ'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, TH0lKuoIalnFMu4GHl.csHigh entropy of concatenated method names: 'nNlcyZSnYK', 'SW2c9idOaK', 'XrDcXXPilE', 'vENceTsYAT', 'QF6cajjlNP', 'WC2c558eBh', 'bTrcfBdSRX', 'ISIcoDjMW3', 'PTIcbjn8RW', 'MYacMQmgQU'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, b8ThgLjOEoZxR6lUXG.csHigh entropy of concatenated method names: 'CmPEBL62fX', 'FVWEhZisIu', 'a5GEKSDN65', 'c8xERVx11r', 'XOPEUy6LSj', 't6ZEndGWIk', 'L7iEiIN94F', 'pyTEOvk8mP', 'RkaE3AMtNS', 'gMUEJ9IdIN'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, T9h9cnzFxw0gVb1ZTL.csHigh entropy of concatenated method names: 'oMr1kZIT2c', 'f8o1GRAMlx', 'tmR1p8gk84', 'YMJ1BVQ26G', 'jPE1hubDiB', 'ltA1RAdR47', 'CsY1UXxuIx', 'Ewk1NbgIPQ', 'fsX1Z55a2d', 'TTo18CKZl2'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, m6pUWMQQKA7o6OmUH6E.csHigh entropy of concatenated method names: 'TDC1TPe2Tk', 'zMW1zjM1lg', 'gJi2Vy96M3', 'eDj2QRPAvV', 'kWP2FCrhni', 'lA42caaDCw', 'IdZ2HbanfL', 'jR82yha5cT', 'S0m29lyaDn', 't012XQyVrd'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, c6N1MsBXAR7FcUC5xM.csHigh entropy of concatenated method names: 'A3H5yJ2OeX', 'AJs5Xvxjsk', 'COB5arRjbX', 'Cq25f5lben', 'PHP5oilHq6', 'r3cau2Gcb3', 'Mksadn97AZ', 'GiIamBtpQe', 'DDPavSlrl5', 'HPdajWVpXW'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, JI5WDtG4R4ehQaWemK.csHigh entropy of concatenated method names: 'xA0Xr7LnxJ', 'WolX0OhdJX', 'EaTX7MoTOv', 'C9hXLrxNqn', 'R94Xu9krHJ', 'iruXdo0aTe', 'NYiXmrtyAt', 'fhjXvMM8b6', 'frSXjMJ2UH', 'NjmXTMdNAO'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, TDH1OdHiQRQxVbOxSW.csHigh entropy of concatenated method names: 'syUQfI5WDt', 'nR4QoehQaW', 'nuNQM80khH', 'jSrQAcbsH5', 'vU2QIBKF6N', 'sMsQsXAR7F', 'URs1EUgbsXRquD1aAo', 'ocMGkcJ4DD9iwi2yk9', 'lmpQQZ06ik', 'YgsQcsiTL4'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, mJQ1Q4puN80khH5Src.csHigh entropy of concatenated method names: 'fKwegZhUVJ', 'thcekgy7v7', 'wI4eGOt1md', 'U8leplARmX', 'RWAeI3XeVp', 'iDies6kYV1', 'GLMeqC3lVT', 'Av3elUqyuC', 'KxGeEIcHNZ', 'tPGe1wETHA'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, oUxF8E3Bf6aNZxfvmN.csHigh entropy of concatenated method names: 'fLwfZsFZ6b', 'viBf8iBNIi', 'VfWfYR2dHr', 'cdcfg3Q9oQ', 'G0Ufw0IRq3', 'Aj0fkS9sOL', 'aCtfPytNXr', 'WugfGDoYru', 'BGJfpGMNYZ', 'vlBftD89S6'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, V7otFKQHJQdTYmZTHn2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JXcSERrETc', 'bKLS1myCVN', 'yRHS2XDbB2', 'TrjSSBxSnS', 'RKdSDnD0Lb', 'VvxSxOHQqL', 'lGlSNGXho4'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, YXXc8irqGi5EMeaGqu.csHigh entropy of concatenated method names: 'OOlIJBMW0k', 'CUUIC1K0SV', 'DJqIrmhHbN', 'UubI0QMODk', 'VB3Ih574EX', 'QcGIKPg77q', 'HSBIRYJtfo', 'l4RIU1nB0I', 'eAxInkupy4', 'wutIiaQobk'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, h5VNuFi9MXN9Unm9N2.csHigh entropy of concatenated method names: 'gZvf9TemU0', 'AaGfefed94', 'pdaf5GxIi5', 'acJ5TxXDd3', 'JQk5zC92pb', 'SGYfVDZpgS', 'flpfQRa77N', 'QRPfFEDrpo', 'QGlfc5aWii', 'rqsfHPHIeD'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, w7kjg9mP7hHYyW2AOX.csHigh entropy of concatenated method names: 'GbrEIae73x', 'fg6EqTdyfg', 'i3vEEaJXZX', 'OcfE27GtW5', 'jvWEDyEnwR', 'pB3ENvNEvg', 'Dispose', 'JCMl9jneh6', 'dR3lXAp8HR', 'pLuleslvEM'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, fQsu5tQVEIKA0jGMig4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XpG16bKQ2c', 'LTN1CuqmJF', 'soW1WQ0Eis', 'kd01rqT9Dg', 'qLZ10k1FlM', 'rsX17xPS7r', 'f6X1LRuBB3'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, lsH5OltCeWR2kDU2BK.csHigh entropy of concatenated method names: 'YtSawjO0jK', 'dKsaPvXbbu', 'qUdeKwv5Hk', 'OGQeRRtvkx', 'Ws9eUYJOwG', 'rJfenmBKLA', 'if2eivpsg3', 'Yv7eOK7XLe', 'GNie3RltNT', 'lm7eJiGPm0'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, KFsYExFVjjBA1TXDfv.csHigh entropy of concatenated method names: 'tL2YsSNM9', 'W84gws2e7', 'rfskxRkM3', 'M6qP0mp8q', 'kQYp6GcgU', 'hgItCMfch', 'xHZZaLTvIR5C3VsLZh', 'gbQLU8nEiyUQYTRwgN', 'M0olDwww8', 'ewh19d9GD'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, GZX17hQFKgjJ2Z70tkC.csHigh entropy of concatenated method names: 'ToString', 'P8Q2Gb9L1d', 'Lo52pLBngu', 'lUc2tl0fAL', 'Kp22BfCH90', 'pjJ2hKu1b8', 'vpK2KyaOyd', 'lyv2RSWeqD', 'MounFjVz8Bsb5t8J5In', 'JWWo97eAjX3NRUYbPHl'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, hJ1bph7UPjaaalyEJL.csHigh entropy of concatenated method names: 'ToString', 'wV1s6sKH41', 'sxlshPmqwF', 'SBxsK3wK8c', 'x2ksRJBFbK', 'n3hsUBVEMd', 'hXjsnubG4d', 'W4ZsiGpDvu', 'RY4sO4bjGk', 'VEls3mJA5i'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, jKTZMLhNT1chWXG3hg.csHigh entropy of concatenated method names: 'rEqceUU9dcuIgusqZfe', 'HjCQSsUa26dJ8GXZRZO', 'UVo5lxD5oC', 'WNv5E31ubP', 'ewC51YDrc2', 'xyMERtUieAkAi2L8CQG', 'AGERlYUd6Ht47g77NNj'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, QH1qDrXGvlvpO0rKCh.csHigh entropy of concatenated method names: 'Dispose', 'GHYQjyW2AO', 'h1YFhmhyOy', 'pVXM4HR5fw', 'grkQTdsoX3', 'SwsQzbHbCx', 'ProcessDialogKey', 'nBQFV8ThgL', 'MEoFQZxR6l', 'JXGFF6a1kj'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, Mv0Bs3WblbG5I0Bsbx.csHigh entropy of concatenated method names: 'vVG4GOdVc7', 'Bl34pSUyJ7', 'tEY4BCtuj0', 'cNI4h0f2h5', 'gAv4Rsbj0T', 'bOZ4UkeVyc', 'djE4iHtwnv', 'SLa4OVwlVi', 'dOm4JshpYg', 'RNN46AVUbJ'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, TH0lKuoIalnFMu4GHl.csHigh entropy of concatenated method names: 'nNlcyZSnYK', 'SW2c9idOaK', 'XrDcXXPilE', 'vENceTsYAT', 'QF6cajjlNP', 'WC2c558eBh', 'bTrcfBdSRX', 'ISIcoDjMW3', 'PTIcbjn8RW', 'MYacMQmgQU'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, b8ThgLjOEoZxR6lUXG.csHigh entropy of concatenated method names: 'CmPEBL62fX', 'FVWEhZisIu', 'a5GEKSDN65', 'c8xERVx11r', 'XOPEUy6LSj', 't6ZEndGWIk', 'L7iEiIN94F', 'pyTEOvk8mP', 'RkaE3AMtNS', 'gMUEJ9IdIN'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, T9h9cnzFxw0gVb1ZTL.csHigh entropy of concatenated method names: 'oMr1kZIT2c', 'f8o1GRAMlx', 'tmR1p8gk84', 'YMJ1BVQ26G', 'jPE1hubDiB', 'ltA1RAdR47', 'CsY1UXxuIx', 'Ewk1NbgIPQ', 'fsX1Z55a2d', 'TTo18CKZl2'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, m6pUWMQQKA7o6OmUH6E.csHigh entropy of concatenated method names: 'TDC1TPe2Tk', 'zMW1zjM1lg', 'gJi2Vy96M3', 'eDj2QRPAvV', 'kWP2FCrhni', 'lA42caaDCw', 'IdZ2HbanfL', 'jR82yha5cT', 'S0m29lyaDn', 't012XQyVrd'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, c6N1MsBXAR7FcUC5xM.csHigh entropy of concatenated method names: 'A3H5yJ2OeX', 'AJs5Xvxjsk', 'COB5arRjbX', 'Cq25f5lben', 'PHP5oilHq6', 'r3cau2Gcb3', 'Mksadn97AZ', 'GiIamBtpQe', 'DDPavSlrl5', 'HPdajWVpXW'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, JI5WDtG4R4ehQaWemK.csHigh entropy of concatenated method names: 'xA0Xr7LnxJ', 'WolX0OhdJX', 'EaTX7MoTOv', 'C9hXLrxNqn', 'R94Xu9krHJ', 'iruXdo0aTe', 'NYiXmrtyAt', 'fhjXvMM8b6', 'frSXjMJ2UH', 'NjmXTMdNAO'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, TDH1OdHiQRQxVbOxSW.csHigh entropy of concatenated method names: 'syUQfI5WDt', 'nR4QoehQaW', 'nuNQM80khH', 'jSrQAcbsH5', 'vU2QIBKF6N', 'sMsQsXAR7F', 'URs1EUgbsXRquD1aAo', 'ocMGkcJ4DD9iwi2yk9', 'lmpQQZ06ik', 'YgsQcsiTL4'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, mJQ1Q4puN80khH5Src.csHigh entropy of concatenated method names: 'fKwegZhUVJ', 'thcekgy7v7', 'wI4eGOt1md', 'U8leplARmX', 'RWAeI3XeVp', 'iDies6kYV1', 'GLMeqC3lVT', 'Av3elUqyuC', 'KxGeEIcHNZ', 'tPGe1wETHA'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, oUxF8E3Bf6aNZxfvmN.csHigh entropy of concatenated method names: 'fLwfZsFZ6b', 'viBf8iBNIi', 'VfWfYR2dHr', 'cdcfg3Q9oQ', 'G0Ufw0IRq3', 'Aj0fkS9sOL', 'aCtfPytNXr', 'WugfGDoYru', 'BGJfpGMNYZ', 'vlBftD89S6'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, V7otFKQHJQdTYmZTHn2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JXcSERrETc', 'bKLS1myCVN', 'yRHS2XDbB2', 'TrjSSBxSnS', 'RKdSDnD0Lb', 'VvxSxOHQqL', 'lGlSNGXho4'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, YXXc8irqGi5EMeaGqu.csHigh entropy of concatenated method names: 'OOlIJBMW0k', 'CUUIC1K0SV', 'DJqIrmhHbN', 'UubI0QMODk', 'VB3Ih574EX', 'QcGIKPg77q', 'HSBIRYJtfo', 'l4RIU1nB0I', 'eAxInkupy4', 'wutIiaQobk'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, h5VNuFi9MXN9Unm9N2.csHigh entropy of concatenated method names: 'gZvf9TemU0', 'AaGfefed94', 'pdaf5GxIi5', 'acJ5TxXDd3', 'JQk5zC92pb', 'SGYfVDZpgS', 'flpfQRa77N', 'QRPfFEDrpo', 'QGlfc5aWii', 'rqsfHPHIeD'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, w7kjg9mP7hHYyW2AOX.csHigh entropy of concatenated method names: 'GbrEIae73x', 'fg6EqTdyfg', 'i3vEEaJXZX', 'OcfE27GtW5', 'jvWEDyEnwR', 'pB3ENvNEvg', 'Dispose', 'JCMl9jneh6', 'dR3lXAp8HR', 'pLuleslvEM'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, fQsu5tQVEIKA0jGMig4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XpG16bKQ2c', 'LTN1CuqmJF', 'soW1WQ0Eis', 'kd01rqT9Dg', 'qLZ10k1FlM', 'rsX17xPS7r', 'f6X1LRuBB3'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, lsH5OltCeWR2kDU2BK.csHigh entropy of concatenated method names: 'YtSawjO0jK', 'dKsaPvXbbu', 'qUdeKwv5Hk', 'OGQeRRtvkx', 'Ws9eUYJOwG', 'rJfenmBKLA', 'if2eivpsg3', 'Yv7eOK7XLe', 'GNie3RltNT', 'lm7eJiGPm0'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, KFsYExFVjjBA1TXDfv.csHigh entropy of concatenated method names: 'tL2YsSNM9', 'W84gws2e7', 'rfskxRkM3', 'M6qP0mp8q', 'kQYp6GcgU', 'hgItCMfch', 'xHZZaLTvIR5C3VsLZh', 'gbQLU8nEiyUQYTRwgN', 'M0olDwww8', 'ewh19d9GD'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, GZX17hQFKgjJ2Z70tkC.csHigh entropy of concatenated method names: 'ToString', 'P8Q2Gb9L1d', 'Lo52pLBngu', 'lUc2tl0fAL', 'Kp22BfCH90', 'pjJ2hKu1b8', 'vpK2KyaOyd', 'lyv2RSWeqD', 'MounFjVz8Bsb5t8J5In', 'JWWo97eAjX3NRUYbPHl'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, hJ1bph7UPjaaalyEJL.csHigh entropy of concatenated method names: 'ToString', 'wV1s6sKH41', 'sxlshPmqwF', 'SBxsK3wK8c', 'x2ksRJBFbK', 'n3hsUBVEMd', 'hXjsnubG4d', 'W4ZsiGpDvu', 'RY4sO4bjGk', 'VEls3mJA5i'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, jKTZMLhNT1chWXG3hg.csHigh entropy of concatenated method names: 'rEqceUU9dcuIgusqZfe', 'HjCQSsUa26dJ8GXZRZO', 'UVo5lxD5oC', 'WNv5E31ubP', 'ewC51YDrc2', 'xyMERtUieAkAi2L8CQG', 'AGERlYUd6Ht47g77NNj'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, QH1qDrXGvlvpO0rKCh.csHigh entropy of concatenated method names: 'Dispose', 'GHYQjyW2AO', 'h1YFhmhyOy', 'pVXM4HR5fw', 'grkQTdsoX3', 'SwsQzbHbCx', 'ProcessDialogKey', 'nBQFV8ThgL', 'MEoFQZxR6l', 'JXGFF6a1kj'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, Mv0Bs3WblbG5I0Bsbx.csHigh entropy of concatenated method names: 'vVG4GOdVc7', 'Bl34pSUyJ7', 'tEY4BCtuj0', 'cNI4h0f2h5', 'gAv4Rsbj0T', 'bOZ4UkeVyc', 'djE4iHtwnv', 'SLa4OVwlVi', 'dOm4JshpYg', 'RNN46AVUbJ'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, TH0lKuoIalnFMu4GHl.csHigh entropy of concatenated method names: 'nNlcyZSnYK', 'SW2c9idOaK', 'XrDcXXPilE', 'vENceTsYAT', 'QF6cajjlNP', 'WC2c558eBh', 'bTrcfBdSRX', 'ISIcoDjMW3', 'PTIcbjn8RW', 'MYacMQmgQU'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, b8ThgLjOEoZxR6lUXG.csHigh entropy of concatenated method names: 'CmPEBL62fX', 'FVWEhZisIu', 'a5GEKSDN65', 'c8xERVx11r', 'XOPEUy6LSj', 't6ZEndGWIk', 'L7iEiIN94F', 'pyTEOvk8mP', 'RkaE3AMtNS', 'gMUEJ9IdIN'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, T9h9cnzFxw0gVb1ZTL.csHigh entropy of concatenated method names: 'oMr1kZIT2c', 'f8o1GRAMlx', 'tmR1p8gk84', 'YMJ1BVQ26G', 'jPE1hubDiB', 'ltA1RAdR47', 'CsY1UXxuIx', 'Ewk1NbgIPQ', 'fsX1Z55a2d', 'TTo18CKZl2'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, m6pUWMQQKA7o6OmUH6E.csHigh entropy of concatenated method names: 'TDC1TPe2Tk', 'zMW1zjM1lg', 'gJi2Vy96M3', 'eDj2QRPAvV', 'kWP2FCrhni', 'lA42caaDCw', 'IdZ2HbanfL', 'jR82yha5cT', 'S0m29lyaDn', 't012XQyVrd'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, c6N1MsBXAR7FcUC5xM.csHigh entropy of concatenated method names: 'A3H5yJ2OeX', 'AJs5Xvxjsk', 'COB5arRjbX', 'Cq25f5lben', 'PHP5oilHq6', 'r3cau2Gcb3', 'Mksadn97AZ', 'GiIamBtpQe', 'DDPavSlrl5', 'HPdajWVpXW'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, JI5WDtG4R4ehQaWemK.csHigh entropy of concatenated method names: 'xA0Xr7LnxJ', 'WolX0OhdJX', 'EaTX7MoTOv', 'C9hXLrxNqn', 'R94Xu9krHJ', 'iruXdo0aTe', 'NYiXmrtyAt', 'fhjXvMM8b6', 'frSXjMJ2UH', 'NjmXTMdNAO'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, TDH1OdHiQRQxVbOxSW.csHigh entropy of concatenated method names: 'syUQfI5WDt', 'nR4QoehQaW', 'nuNQM80khH', 'jSrQAcbsH5', 'vU2QIBKF6N', 'sMsQsXAR7F', 'URs1EUgbsXRquD1aAo', 'ocMGkcJ4DD9iwi2yk9', 'lmpQQZ06ik', 'YgsQcsiTL4'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, mJQ1Q4puN80khH5Src.csHigh entropy of concatenated method names: 'fKwegZhUVJ', 'thcekgy7v7', 'wI4eGOt1md', 'U8leplARmX', 'RWAeI3XeVp', 'iDies6kYV1', 'GLMeqC3lVT', 'Av3elUqyuC', 'KxGeEIcHNZ', 'tPGe1wETHA'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, oUxF8E3Bf6aNZxfvmN.csHigh entropy of concatenated method names: 'fLwfZsFZ6b', 'viBf8iBNIi', 'VfWfYR2dHr', 'cdcfg3Q9oQ', 'G0Ufw0IRq3', 'Aj0fkS9sOL', 'aCtfPytNXr', 'WugfGDoYru', 'BGJfpGMNYZ', 'vlBftD89S6'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, V7otFKQHJQdTYmZTHn2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JXcSERrETc', 'bKLS1myCVN', 'yRHS2XDbB2', 'TrjSSBxSnS', 'RKdSDnD0Lb', 'VvxSxOHQqL', 'lGlSNGXho4'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, YXXc8irqGi5EMeaGqu.csHigh entropy of concatenated method names: 'OOlIJBMW0k', 'CUUIC1K0SV', 'DJqIrmhHbN', 'UubI0QMODk', 'VB3Ih574EX', 'QcGIKPg77q', 'HSBIRYJtfo', 'l4RIU1nB0I', 'eAxInkupy4', 'wutIiaQobk'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, h5VNuFi9MXN9Unm9N2.csHigh entropy of concatenated method names: 'gZvf9TemU0', 'AaGfefed94', 'pdaf5GxIi5', 'acJ5TxXDd3', 'JQk5zC92pb', 'SGYfVDZpgS', 'flpfQRa77N', 'QRPfFEDrpo', 'QGlfc5aWii', 'rqsfHPHIeD'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, w7kjg9mP7hHYyW2AOX.csHigh entropy of concatenated method names: 'GbrEIae73x', 'fg6EqTdyfg', 'i3vEEaJXZX', 'OcfE27GtW5', 'jvWEDyEnwR', 'pB3ENvNEvg', 'Dispose', 'JCMl9jneh6', 'dR3lXAp8HR', 'pLuleslvEM'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, fQsu5tQVEIKA0jGMig4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XpG16bKQ2c', 'LTN1CuqmJF', 'soW1WQ0Eis', 'kd01rqT9Dg', 'qLZ10k1FlM', 'rsX17xPS7r', 'f6X1LRuBB3'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, lsH5OltCeWR2kDU2BK.csHigh entropy of concatenated method names: 'YtSawjO0jK', 'dKsaPvXbbu', 'qUdeKwv5Hk', 'OGQeRRtvkx', 'Ws9eUYJOwG', 'rJfenmBKLA', 'if2eivpsg3', 'Yv7eOK7XLe', 'GNie3RltNT', 'lm7eJiGPm0'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, KFsYExFVjjBA1TXDfv.csHigh entropy of concatenated method names: 'tL2YsSNM9', 'W84gws2e7', 'rfskxRkM3', 'M6qP0mp8q', 'kQYp6GcgU', 'hgItCMfch', 'xHZZaLTvIR5C3VsLZh', 'gbQLU8nEiyUQYTRwgN', 'M0olDwww8', 'ewh19d9GD'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, GZX17hQFKgjJ2Z70tkC.csHigh entropy of concatenated method names: 'ToString', 'P8Q2Gb9L1d', 'Lo52pLBngu', 'lUc2tl0fAL', 'Kp22BfCH90', 'pjJ2hKu1b8', 'vpK2KyaOyd', 'lyv2RSWeqD', 'MounFjVz8Bsb5t8J5In', 'JWWo97eAjX3NRUYbPHl'
                  Source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.72b0000.5.raw.unpack, hJ1bph7UPjaaalyEJL.csHigh entropy of concatenated method names: 'ToString', 'wV1s6sKH41', 'sxlshPmqwF', 'SBxsK3wK8c', 'x2ksRJBFbK', 'n3hsUBVEMd', 'hXjsnubG4d', 'W4ZsiGpDvu', 'RY4sO4bjGk', 'VEls3mJA5i'
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: Process Memory Space: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe PID: 8136, type: MEMORYSTR
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002B17000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLT-
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 4D70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 7DD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 8DD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 8F90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 9F90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: A7C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: B7C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: C7C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: 4A30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe TID: 8164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002A67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2531652335.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeCode function: 5_2_00FE7298 CheckRemoteDebuggerPresent,5_2_00FE7298
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeProcess created: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe "C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe PID: 8136, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe PID: 7260, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2532310991.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe PID: 8136, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe PID: 7260, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.4a50478.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.498fa58.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.48cf038.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe PID: 8136, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe PID: 7260, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		531
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)261
                  Virtualization/Sandbox Evasion                  		Security Account Manager261
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS1
                  System Network Configuration Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials34
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670334 Sample: CN-Reminder-XXXXX9062-18022... Startdate: 21/04/2025 Architecture: WINDOWS Score: 100 17 ip-api.com 2->17 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 7 other signatures 2->27 7 CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe 3 2->7         started        signatures3 process4 file5 15 CN-Reminder-XXXXX9...712220kbpdf.exe.log, ASCII 7->15 dropped 29 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->29 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->33 35 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->35 11 CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe 15 2 7->11         started        signatures6 process7 dnsIp8 19 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 11->19 37 Tries to steal Mail credentials (via file / registry access) 11->37 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->39 41 Tries to harvest and steal browser information (history, passwords, etc) 11->41 signatures9

                  Screenshots

                  Download Video

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe42%VirustotalBrowse
                  CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe50%ReversingLabsWin32.Spyware.Negasteal
                  CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe100%AviraHEUR/AGEN.1307338
                  SAMPLE100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Download Network PCAP: filteredfull

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                      		high
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ip-api.comCN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe, 00000005.00000002.2532310991.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUSfalse

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1670334
                            Start date and time:2025-04-21 16:02:14 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:10
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 22
                            • Number of non-executed functions: 1
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.245.163.56
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:03:04API Interceptor1x Sleep call for process: CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe modified
                            16:02:55Task SchedulerRun new task: {A7BF9F22-7F95-4E2E-85A3-DC7CFFB49B1A} path: .

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.15.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • ip-api.com/json/?fields=225545
                            CZXDSCCG.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            payment receipt.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            SecuriteInfo.com.BackDoor.SiggenNET.71.1887.20790.exeGet hashmaliciousUnknownBrowse
                            • ip-api.com/line/?fields=hosting
                            SecuriteInfo.com.Trojan.MulDrop23.44572.19829.6562.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            SecuriteInfo.com.Trojan.Siggen31.9411.1178.4099.exeGet hashmaliciousAveMaria, Blank Grabber, DCRat, Destiny Stealer, KeyLogger, PureLog Stealer, StormKittyBrowse
                            • ip-api.com/line/?fields=hosting
                            update.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • ip-api.com/json/?fields=225545
                            nPbETy6.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • ip-api.com/line/?fields=hosting
                            ___.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • ip-api.com/line/?fields=hosting
                            SecuriteInfo.com.Win32.MalwareX-gen.10393.3408.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.com5.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • 208.95.112.1
                            CZXDSCCG.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            payment receipt.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.BackDoor.SiggenNET.71.1887.20790.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Trojan.MulDrop23.44572.19829.6562.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Trojan.Siggen31.9411.1178.4099.exeGet hashmaliciousAveMaria, Blank Grabber, DCRat, Destiny Stealer, KeyLogger, PureLog Stealer, StormKittyBrowse
                            • 208.95.112.1
                            update.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • 208.95.112.1
                            nPbETy6.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • 208.95.112.1
                            ___.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.MalwareX-gen.10393.3408.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TUT-ASUS5.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • 208.95.112.1
                            CZXDSCCG.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            payment receipt.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.BackDoor.SiggenNET.71.1887.20790.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Trojan.MulDrop23.44572.19829.6562.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Trojan.Siggen31.9411.1178.4099.exeGet hashmaliciousAveMaria, Blank Grabber, DCRat, Destiny Stealer, KeyLogger, PureLog Stealer, StormKittyBrowse
                            • 208.95.112.1
                            update.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • 208.95.112.1
                            nPbETy6.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                            • 208.95.112.1
                            ___.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.MalwareX-gen.10393.3408.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.870133045257075
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                            File size:968'704 bytes
                            MD5:9cad466dda9c3a4278f28e6451159b96
                            SHA1:9b89998ada7d252939b6ed05e040ea0ca4dfea1b
                            SHA256:dfae325223b17a4c65ea52dd31263dca38c50b48e814696ce39e871fffce8cd5
                            SHA512:ed4856ae4051a1baa65b3bd6708ccc14f8a565ca464ebe97c0e462beb6f80c8acdf6478107a28c233f8b0038a42bbfa496ca8f76b1d264324da9e27c30741cc7
                            SSDEEP:24576:eWpzSGDXkOVrGw3d+8MP1so+3F0O5OmTWWHsJiH:7DDXkyrGw3dKteJTQ8
                            TLSH:D425F1E03E36731ADEA05534E669DEB692E51A68B0447EF365DCBB5732CC210AE0CF50
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......h..............0.............j.... ........@.. ....................... ............@................................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x4edc6a
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6805F286 [Mon Apr 21 07:23:50 2025 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xedc180x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x5a8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xebc700xebe005f7097950342c09462a413364413f74bFalse0.9296450632617912data7.87379584283448IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xee0000x5a80x6003e2e7671defab2df077b2f1ef63b0596False0.421875data4.062758659141125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xf00000xc0x200aab15b3e9f76be789d00bd324034fd7bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xee0900x318data0.43434343434343436
                            RT_MANIFEST0xee3b80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                            DLLImport
                            mscoree.dll_CorExeMain
                            DescriptionData
                            Translation0x0000 0x04b0
                            Comments
                            CompanyName
                            FileDescriptionNetflix
                            FileVersion1.0.0.0
                            InternalNameamrl.exe
                            LegalCopyrightCopyright Microsoft 2016
                            LegalTrademarks
                            OriginalFilenameamrl.exe
                            ProductNameNetflix
                            ProductVersion1.0.0.0
                            Assembly Version1.0.0.0

                            Network Behavior

                            Download Network PCAP: filteredfull

                            Network Port Distribution

                            • Total Packets: 5
                            • 80 (HTTP)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Apr 21, 2025 16:03:06.655689001 CEST4969480192.168.2.5208.95.112.1
                            Apr 21, 2025 16:03:06.804554939 CEST8049694208.95.112.1192.168.2.5
                            Apr 21, 2025 16:03:06.804939032 CEST4969480192.168.2.5208.95.112.1
                            Apr 21, 2025 16:03:06.806149006 CEST4969480192.168.2.5208.95.112.1
                            Apr 21, 2025 16:03:06.956104994 CEST8049694208.95.112.1192.168.2.5
                            Apr 21, 2025 16:03:06.996035099 CEST4969480192.168.2.5208.95.112.1
                            Apr 21, 2025 16:03:49.283004045 CEST8049694208.95.112.1192.168.2.5
                            TimestampSource PortDest PortSource IPDest IP
                            Apr 21, 2025 16:03:06.468815088 CEST5950253192.168.2.51.1.1.1
                            Apr 21, 2025 16:03:06.609010935 CEST53595021.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Apr 21, 2025 16:03:06.468815088 CEST192.168.2.51.1.1.10xfd07Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Apr 21, 2025 16:03:06.609010935 CEST1.1.1.1192.168.2.50xfd07No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ip-api.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549694208.95.112.1807260C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                            TimestampBytes transferredDirectionData
                            Apr 21, 2025 16:03:06.806149006 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Apr 21, 2025 16:03:06.956104994 CEST175INHTTP/1.1 200 OK
                            Date: Mon, 21 Apr 2025 14:03:06 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 6
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 66 61 6c 73 65 0a
                            Data Ascii: false


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            • File
                            • Registry
                            • Network

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:4
                            Start time:10:03:03
                            Start date:21/04/2025
                            Path:C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe"
                            Imagebase:0x970000
                            File size:968'704 bytes
                            MD5 hash:9CAD466DDA9C3A4278F28E6451159B96
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1294834181.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            COM Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:5
                            Start time:10:03:05
                            Start date:21/04/2025
                            Path:C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.exe"
                            Imagebase:0x6c0000
                            File size:968'704 bytes
                            MD5 hash:9CAD466DDA9C3A4278F28E6451159B96
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2530344316.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2532310991.0000000002A67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            Show Windows behavior

                            COM Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Network Activities

                            Process Token Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Disassembly

                            Execution Graph

                            Execution Coverage

                            Dynamic/Packed Code Coverage

                            Signature Coverage

                            Execution Coverage:8.5%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:32
                            Total number of Limit Nodes:3
                            Show Legend
                            Hide Nodes/Edges
                            execution_graph 14814 11c4668 14815 11c467a 14814->14815 14816 11c4686 14815->14816 14818 11c4778 14815->14818 14819 11c479d 14818->14819 14823 11c4878 14819->14823 14827 11c4888 14819->14827 14825 11c48af 14823->14825 14824 11c498c 14824->14824 14825->14824 14831 11c44b0 14825->14831 14829 11c48af 14827->14829 14828 11c498c 14828->14828 14829->14828 14830 11c44b0 CreateActCtxA 14829->14830 14830->14828 14832 11c5918 CreateActCtxA 14831->14832 14834 11c59db 14832->14834 14835 11cd680 14836 11cd6c6 14835->14836 14840 11cd850 14836->14840 14843 11cd860 14836->14843 14837 11cd7b3 14846 11cd438 14840->14846 14844 11cd88e 14843->14844 14845 11cd438 DuplicateHandle 14843->14845 14844->14837 14845->14844 14847 11cd8c8 DuplicateHandle 14846->14847 14848 11cd88e 14847->14848 14848->14837 14849 11cb2f0 14850 11cb2ff 14849->14850 14852 11cb3d7 14849->14852 14853 11cb3f9 14852->14853 14854 11cb41c 14852->14854 14853->14854 14855 11cb620 GetModuleHandleW 14853->14855 14854->14850 14856 11cb64d 14855->14856 14856->14850

                            Executed Functions

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 886 11c3e28-11c7050 889 11c7057-11c7151 call 11c5cdc call 11c5cec call 11c5cfc 886->889 890 11c7052 886->890 904 11c7159-11c71b8 889->904 890->889 909 11c7201-11c7211 904->909 911 11c71ba-11c7200 909->911 912 11c7213-11c723d 909->912 911->909 917 11c723f-11c7248 912->917 918 11c7249 912->918 917->918 921 11c724a 918->921 921->921
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 88ab49e78f0ecc4ca1eb6f6bfb41c19be59209f58c5f3df691745b20204d048b
                            • Instruction ID: 4f615801f15a0f4635e7d67e6f999d658087a3bc1c15841a0d3268d4d217704b
                            • Opcode Fuzzy Hash: 88ab49e78f0ecc4ca1eb6f6bfb41c19be59209f58c5f3df691745b20204d048b
                            • Instruction Fuzzy Hash: FB61A574E012198FDB28DFAAD844A9DFBB2BF89300F10C169D419AB365EB305945CF54
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f29318454175813622f7704ee223af0dcbb3b43b424b846778ae59811c6072f
                            • Instruction ID: 8cca1f86da86c84c5608267bf4456236cba92036c682c218bd7fc9fb2731ce00
                            • Opcode Fuzzy Hash: 3f29318454175813622f7704ee223af0dcbb3b43b424b846778ae59811c6072f
                            • Instruction Fuzzy Hash: 2D51B474E012198FEB18DFAAD84479DFBB2BF88700F24C16DD419AB265EB305986CF51

                            Control-flow Graph

                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 011CB63E
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 03e8f6968aed993bb990e420459e00a12dbd1af451c9b8727b7539ab26e5ba30
                            • Instruction ID: 73c9b437fd3e406fa772bbd8e5a3943155d7b1ced4a62957eb04f79638e1bbc2
                            • Opcode Fuzzy Hash: 03e8f6968aed993bb990e420459e00a12dbd1af451c9b8727b7539ab26e5ba30
                            • Instruction Fuzzy Hash: 55818670A04B458FDB28CF29D44275ABBF1FF98744F00892ED48ADBA41D734E84ACB95

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 59 11c44b0-11c59d9 CreateActCtxA 62 11c59db-11c59e1 59->62 63 11c59e2-11c5a3c 59->63 62->63 70 11c5a3e-11c5a41 63->70 71 11c5a4b-11c5a4f 63->71 70->71 72 11c5a60 71->72 73 11c5a51-11c5a5d 71->73 75 11c5a61 72->75 73->72 75->75
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 011C59C9
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: df28158af754f8e56dac3c8d7b9c262b5b0609d4afdd9f3ea8450b7496379940
                            • Instruction ID: 472b7fa1dc287de8e63734de01493ff4e3bb4cf5a81c3d84ee6bb65325e668d7
                            • Opcode Fuzzy Hash: df28158af754f8e56dac3c8d7b9c262b5b0609d4afdd9f3ea8450b7496379940
                            • Instruction Fuzzy Hash: 7D41E1B0D0171DCBDB68CFAAC884ADDBBF6BF49704F20805AD409AB251DB756946CF50

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 76 11c590c-11c59d9 CreateActCtxA 78 11c59db-11c59e1 76->78 79 11c59e2-11c5a3c 76->79 78->79 86 11c5a3e-11c5a41 79->86 87 11c5a4b-11c5a4f 79->87 86->87 88 11c5a60 87->88 89 11c5a51-11c5a5d 87->89 91 11c5a61 88->91 89->88 91->91
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 011C59C9
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: f8c351b95d2fb5680af64340905c00703f80082fad69fde8acf7b2bc5805b191
                            • Instruction ID: aa9ca2ca8c23c6d940b0f08b43609ce9f2e81d290d5077a2b387065c22a1b1db
                            • Opcode Fuzzy Hash: f8c351b95d2fb5680af64340905c00703f80082fad69fde8acf7b2bc5805b191
                            • Instruction Fuzzy Hash: 1C41F2B1D01719CBDB68CFAAC884BCDBBF2BF49704F24805AD409AB251DB75A946CF50

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 92 11cd8c0-11cd8c4 93 11cd90a-11cd95c DuplicateHandle 92->93 94 11cd8c6-11cd907 92->94 95 11cd95e-11cd964 93->95 96 11cd965-11cd982 93->96 94->93 95->96
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011CD88E,?,?,?,?,?), ref: 011CD94F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 7322a472354d566e451858a722d860a67d08e04e66ca621c0017feafc717058d
                            • Instruction ID: 812fcbe8edfb21b61e812af25af3026b60610480328ac35d72b1a931e32cde20
                            • Opcode Fuzzy Hash: 7322a472354d566e451858a722d860a67d08e04e66ca621c0017feafc717058d
                            • Instruction Fuzzy Hash: 2D2135B580024A9FDB10CFA9D585BEEFFF5AF08320F14811AE958A7251D378A941CFA1

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 99 11cd438-11cd95c DuplicateHandle 101 11cd95e-11cd964 99->101 102 11cd965-11cd982 99->102 101->102
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011CD88E,?,?,?,?,?), ref: 011CD94F
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b8fa165769b4dfc045b2d916945055e302a3e3020162513ff456457c7c20fad7
                            • Instruction ID: 710e2652640a4663cc1bf19a8c967ccc6ca9d83d89cd0a43866412acbd59467a
                            • Opcode Fuzzy Hash: b8fa165769b4dfc045b2d916945055e302a3e3020162513ff456457c7c20fad7
                            • Instruction Fuzzy Hash: 8021E5B59002499FDB10CF99D584ADEFFF5EB48310F14842AE918A7350D374A951CFA1

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 105 11cb5d8-11cb618 106 11cb61a-11cb61d 105->106 107 11cb620-11cb64b GetModuleHandleW 105->107 106->107 108 11cb64d-11cb653 107->108 109 11cb654-11cb668 107->109 108->109
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 011CB63E
                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: c0557fae2133684c3b7244cde88f8f841029efbeddcef19196157e660c2e238f
                            • Instruction ID: dfd50d54bdb7de70f099f063824d75001aa00c0466d42da58f42fabcb631d599
                            • Opcode Fuzzy Hash: c0557fae2133684c3b7244cde88f8f841029efbeddcef19196157e660c2e238f
                            • Instruction Fuzzy Hash: E01110B6C006598FDB14CF9AD444ADEFBF8EF88720F10841AD959A7210C379A545CFA5
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291896753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_112d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5a4de98f78ce516254df29a7ddc2798b702bbe2f48854346ecddc796ba62f11a
                            • Instruction ID: d86dc63901cfff1478b981daa120629f366cd490b10facc3e752356804899dca
                            • Opcode Fuzzy Hash: 5a4de98f78ce516254df29a7ddc2798b702bbe2f48854346ecddc796ba62f11a
                            • Instruction Fuzzy Hash: 32210772504240DFDF0ADF98E9C4B26BF65FB89320F24C569ED094B246C336D426CBA2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291959741.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_113d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01ee61ee1a64cd09f6dce11028a54246be137cb69a8a618c21eaf8ec734cfa43
                            • Instruction ID: a3a7ba471f507b125b6ddc11f82b2a3bc424bd42e987702b5ee012c5fc82440e
                            • Opcode Fuzzy Hash: 01ee61ee1a64cd09f6dce11028a54246be137cb69a8a618c21eaf8ec734cfa43
                            • Instruction Fuzzy Hash: 5A212971504200DFDF1ADF98E5C0B25BB65FBC4324F64C56DE9094B25AC336D406CA62
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291959741.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_113d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6a968c2f9af9e9b6136dd389cb7a346af818a5ca5028728babedc53a4d74f70
                            • Instruction ID: 440ae26f1ad58e452de12e48e154197eb749bb7b2b028ef16e3f65e00a86afd8
                            • Opcode Fuzzy Hash: a6a968c2f9af9e9b6136dd389cb7a346af818a5ca5028728babedc53a4d74f70
                            • Instruction Fuzzy Hash: F8210371504200DFDF19DF68E580B16FB65EBC4714F60C569E9094B24AC33AD407CA62
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291959741.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_113d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8dc0978d82fb2bfbea6ca93fb0c2c0fe65415261f5186e6bf1cb07dde2723579
                            • Instruction ID: 225c3c9afb258d4619ca59e7179c19fdd4e547d1db3386de31c822e8491600ab
                            • Opcode Fuzzy Hash: 8dc0978d82fb2bfbea6ca93fb0c2c0fe65415261f5186e6bf1cb07dde2723579
                            • Instruction Fuzzy Hash: CB217F755083809FCB06CF64D994B11BF71EB86214F28C5DAD8498F2A7C33A981ACB62
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291896753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_112d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b9c256e5f491da9944d83a67e45640baf8883e9ef308051f4dcfb587a0e7dd5c
                            • Instruction ID: c6cf095e6e3785f3f691af954f6021636fa61f895a091c2e62e42dcb9e018e84
                            • Opcode Fuzzy Hash: b9c256e5f491da9944d83a67e45640baf8883e9ef308051f4dcfb587a0e7dd5c
                            • Instruction Fuzzy Hash: B8219D76504240DFDF06CF54D9C4B16BF62FB85324F24C5A9DD094A656C33AD42ACBA2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291959741.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_113d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 635a0055f575a6eb21eb872a3a1e87cb2ee35c6e4d8a8db28d5e9f1465cd98cb
                            • Instruction ID: 14d7d8317c80ffc6da61f9c7d31e76a3cf57c622ea7b17b703f54619f25c5827
                            • Opcode Fuzzy Hash: 635a0055f575a6eb21eb872a3a1e87cb2ee35c6e4d8a8db28d5e9f1465cd98cb
                            • Instruction Fuzzy Hash: C311BB75504280DFDB06CF54D5C0B15BFA1FB84324F24C6A9E8494B29AC33AD40ACB62
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291896753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_112d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df9d8f35a908e405daeb1a6537544580d2dc425ac7517ae586c7c122f18e6734
                            • Instruction ID: e78f8255a03f55b3af2f49c490e96c5bab80b65ccf7ed4e9339821a51bc4554e
                            • Opcode Fuzzy Hash: df9d8f35a908e405daeb1a6537544580d2dc425ac7517ae586c7c122f18e6734
                            • Instruction Fuzzy Hash: D7012B710047909BEB299E99DD84B66FF98DF41338F14C51AED094A283D33D9401CAB2
                            Memory Dump Source
                            • Source File: 00000004.00000002.1291896753.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_112d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92391396029679cfbc5188d1a70a5506d2d3bb952b9dc56ef4f1da288de302a9
                            • Instruction ID: 59ad650fa525e97d6cb76b2ae1f7ff67f38ea6149bc76131430a7cadedd0394f
                            • Opcode Fuzzy Hash: 92391396029679cfbc5188d1a70a5506d2d3bb952b9dc56ef4f1da288de302a9
                            • Instruction Fuzzy Hash: F1F0C271004684AEEB159E59D988B62FF98EB41334F28C05AED484A287C3799840CBB1

                            Non-executed Functions

                            Memory Dump Source
                            • Source File: 00000004.00000002.1292529340.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_11c0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ee91bc97828a4454fe9f592d13cf965aa03c4753de48d83d8b2df999c84f46d4
                            • Instruction ID: 95de6b1b8e02cbafdfe4b7a88ebd423e777ad01d9ab7423a87615ea458d6d05f
                            • Opcode Fuzzy Hash: ee91bc97828a4454fe9f592d13cf965aa03c4753de48d83d8b2df999c84f46d4
                            • Instruction Fuzzy Hash: 88A15B32E002168FCF09DFB8C84459EBBB3FF94704B15856EE905AB265DB31E956CB40

                            Execution Graph

                            Execution Coverage

                            Dynamic/Packed Code Coverage

                            Signature Coverage

                            Execution Coverage:8.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:60%
                            Total number of Nodes:5
                            Total number of Limit Nodes:0
                            Show Legend
                            Hide Nodes/Edges
                            execution_graph 24994 fe7298 24995 fe72dc CheckRemoteDebuggerPresent 24994->24995 24996 fe731e 24995->24996 24997 679c900 DuplicateHandle 24998 679c996 24997->24998

                            Executed Functions

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6 fe7298-fe731c CheckRemoteDebuggerPresent 8 fe731e-fe7324 6->8 9 fe7325-fe7360 6->9 8->9
                            APIs
                            • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00FE730F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2532042446.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_fe0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID: =
                            • API String ID: 3662101638-2322244508
                            • Opcode ID: 1aeba822848a949190d5f9c3851c59a7e9252e711c4d4169dbe8058e5a7d2e35
                            • Instruction ID: fb3be154375ae5b04c59d15d0d601c89f2ee4755ac31765e8c75c0e9f92b3188
                            • Opcode Fuzzy Hash: 1aeba822848a949190d5f9c3851c59a7e9252e711c4d4169dbe8058e5a7d2e35
                            • Instruction Fuzzy Hash: F42125B28012598FCB10CF9AD884BEEFBF4AF48320F14845AE859A7251D778A944DF61

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 fe7290-fe731c CheckRemoteDebuggerPresent 2 fe731e-fe7324 0->2 3 fe7325-fe7360 0->3 2->3
                            APIs
                            • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00FE730F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2532042446.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_fe0000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID: =
                            • API String ID: 3662101638-2322244508
                            • Opcode ID: 762d02fbba5ccac26aa559ca64088d0aec3f143e4ca8a7549982092008b90a74
                            • Instruction ID: f7bbc009418215c55dc36f307c52e07e4cdfe21bf211ac7b5914a13c52a08474
                            • Opcode Fuzzy Hash: 762d02fbba5ccac26aa559ca64088d0aec3f143e4ca8a7549982092008b90a74
                            • Instruction Fuzzy Hash: F52136B18012598FCB10CFAAD484BEEBBF4AF48320F14846EE855A7251D7789944DF61

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 12 679c8f8-679c994 DuplicateHandle 13 679c99d-679c9ba 12->13 14 679c996-679c99c 12->14 14->13
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0679C987
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2534469951.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_6790000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID: =
                            • API String ID: 3793708945-2322244508
                            • Opcode ID: 0ab9d75c65e44e0dcda715d60ec7d6dba17eaac99517cb476b4ad55eb9226988
                            • Instruction ID: 3e676df3e355615c405343d58f2199b91230b34f0be76d77ce489085ae35b662
                            • Opcode Fuzzy Hash: 0ab9d75c65e44e0dcda715d60ec7d6dba17eaac99517cb476b4ad55eb9226988
                            • Instruction Fuzzy Hash: E021E3B5D002489FDB10CFA9E584AEEBBF5EB48320F14841AE918A7350D375A955CF61

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 17 679c900-679c994 DuplicateHandle 18 679c99d-679c9ba 17->18 19 679c996-679c99c 17->19 19->18
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0679C987
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2534469951.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_6790000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID: =
                            • API String ID: 3793708945-2322244508
                            • Opcode ID: ce5434404f395f055c3e29fe9c74ae2032b06e031417fb4a6b3b6259eaeef0a5
                            • Instruction ID: 7d45e19b3c772a311b9fb2966bcaf8822fa5bdf4ae36d50f815a5f2ba5a2a66c
                            • Opcode Fuzzy Hash: ce5434404f395f055c3e29fe9c74ae2032b06e031417fb4a6b3b6259eaeef0a5
                            • Instruction Fuzzy Hash: 8021E2B59002489FDB10CFAAD984ADEFBF8EB48320F14801AE918A3350D375A944CFA1
                            Memory Dump Source
                            • Source File: 00000005.00000002.2531879183.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_f9d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad05f6cc1a429400410c11bc13b0c71c50c8bde59707f7476892d95777bb9e1d
                            • Instruction ID: d19ad4f3d7bb6f1203513c8defdff26c5813236ec582f3d46e4d2b8842329a53
                            • Opcode Fuzzy Hash: ad05f6cc1a429400410c11bc13b0c71c50c8bde59707f7476892d95777bb9e1d
                            • Instruction Fuzzy Hash: 4A21F575904200DFEF15DF24D584B16BB65FB84324F34C569E90A4B26AC33BD807DA61
                            Memory Dump Source
                            • Source File: 00000005.00000002.2531879183.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_f9d000_CN-Reminder-XXXXX9062-18022025073000000143265712220kbpdf.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f51ec26e75f8c5b542b338f047f998b47e8c49ae176f0154d852826cb1538b6e
                            • Instruction ID: 4ad85dd8f8d5ef22bdbbbc5c183cafb846cb795ec7db0820eeeea78984c5b2d7
                            • Opcode Fuzzy Hash: f51ec26e75f8c5b542b338f047f998b47e8c49ae176f0154d852826cb1538b6e
                            • Instruction Fuzzy Hash: 6A2150755093808FDB12CF24D994715BF71EB46314F28C5EAD8498B6A7C33A980ADB62