Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Summary 2025 11 2.exe

Overview

General Information

Sample name:Payment Summary 2025 11 2.exe
Analysis ID:1619000
MD5:6b654cb879dd6171a27f49ede0640dd0
SHA1:f3b604c42287475b70a3372ac271b083bf47d617
SHA256:4c4b1980eed21f43c792e2d1727b36c9a6cf04b7732250d4559ca4a2f341dda8
Tags:exeuser-TeamDreier
Infos:

Detection

GuLoader
Score:88
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
.NET source code contains method to dynamically call methods (often used by packers)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2841881543.0000000005ABE000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Suspicious Outbound SMTP Connections
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.29.10.35, DestinationIsIpv6: false, DestinationPort: 2525, EventID: 3, Image: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe, Initiated: true, ProcessId: 6216, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50005

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-02-19T12:55:13.607835+010028032702Potentially Bad Traffic192.168.2.450003172.217.16.142443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Payment Summary 2025 11 2.exeReversingLabs: Detection: 24%
    Joe Sandbox ML detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: Payment Summary 2025 11 2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 172.217.16.142:443 -> 192.168.2.4:50003 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.4:50004 version: TLS 1.2
    Source: Payment Summary 2025 11 2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_00402868 FindFirstFileW,5_2_00402868
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_004065C7 FindFirstFileW,FindClose,5_2_004065C7
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405996
    Source: global trafficTCP traffic: 192.168.2.4:50005 -> 185.29.10.35:2525
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50003 -> 172.217.16.142:443
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: drive.google.com
    Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
    Source: global trafficDNS traffic detected: DNS query: 220.240.8.0.in-addr.arpa
    Source: Payment Summary 2025 11 2.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2939994805.00000000076D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2978383871.0000000007699000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2946739221.0000000007699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2946739221.00000000076D5000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2939994805.00000000076D7000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2978383871.0000000007699000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2978449323.00000000076D4000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2946739221.0000000007699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=download
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2978383871.0000000007699000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2946739221.0000000007699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=downloadA9
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2978383871.0000000007699000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2946739221.0000000007699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=downloadFB
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2978383871.0000000007699000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.2946739221.0000000007699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=downloadwJ
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2939994805.00000000076D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394BA000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2939994805.00000000076D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2939994805.00000000076D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2939994805.00000000076D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2939994805.00000000076D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394BA000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3026903233.00000000394CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
    Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
    Source: unknownHTTPS traffic detected: 172.217.16.142:443 -> 192.168.2.4:50003 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.4:50004 version: TLS 1.2
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040542B
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

    System Summary

    barindex
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: Payment Summary 2025 11 2.exe
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_00403359
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\superaccomplishedJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\besvresJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\resources\0809Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\resources\0809\sonnetizationJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00404C680_2_00404C68
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_0040698E0_2_0040698E
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_6F951B630_2_6F951B63
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_00404C685_2_00404C68
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_0040698E5_2_0040698E
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: String function: 00402C41 appears 51 times
    Source: Payment Summary 2025 11 2.exe, 00000000.00000002.2840719478.000000000046A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekijev gitanos.exeL vs Payment Summary 2025 11 2.exe
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.2981901207.0000000007713000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs Payment Summary 2025 11 2.exe
    Source: Payment Summary 2025 11 2.exe, 00000005.00000003.3024450271.0000000038FCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClassLibrary1.dll" vs Payment Summary 2025 11 2.exe
    Source: Payment Summary 2025 11 2.exe, 00000005.00000000.2837745130.000000000046A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekijev gitanos.exeL vs Payment Summary 2025 11 2.exe
    Source: Payment Summary 2025 11 2.exeBinary or memory string: OriginalFilenamekijev gitanos.exeL vs Payment Summary 2025 11 2.exe
    Source: Payment Summary 2025 11 2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
    Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@3/20@3/3
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_00403359
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046EC
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Program Files (x86)\lineamentationJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Users\user\kredseneJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMutant created: NULL
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMutant created: \Sessions\1\BaseNamedObjects\19cf617f23b5914f
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Users\user\AppData\Local\Temp\nsb3111.tmpJump to behavior
    Source: Payment Summary 2025 11 2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Payment Summary 2025 11 2.exeReversingLabs: Detection: 24%
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile read: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile written: C:\Users\user\kredsene\Regnbuehinden\klokkendes.iniJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: Payment Summary 2025 11 2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.2841881543.0000000005ABE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    .NET source code contains method to dynamically call methods (often used by packers)
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs.Net Code: Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777297)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777248)),Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777365))})
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_6F951B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6F951B63
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_6F952FD0 push eax; ret 0_2_6F952FFE
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, dS8NLBORQCnVypqC83v.csHigh entropy of concatenated method names: 'BCqOXeTmv9', 'U3pOumGsu4', 'fuIOlTMxKk', 'zixOrHaVXa', 'CkiO8lhY9c', 'JySO0WQdTN', 'ltJO5WQVx9', 'GONOW3oATt', 'aOZOZW4wdH', 'GxEptKaimOF2wqBtrf1'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, HXWgqf7QK37HQ0ZpisZ.csHigh entropy of concatenated method names: 'wWc74tJV3d', 'i0M7tjFvsd', 'xmc7D5UyIb', 'DAQ76jgD5d', 'vKc7YmXJBj', 'qfo7BYhLkc', 'Jvm7yiCJ8F', 'hWa7sdSoWA', 'IqU7kwu7n7', 'Jca73Hjm9o'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, Dc4xUxvOwXRXuWZuBqx.csHigh entropy of concatenated method names: 'G1CvmmDfsR', 'iFtvXHTZZE', 'qv9vuYO6aw', 'pAmvl2BZg2', 'NfGvrmE0A6', 'BP0v8pdobr', 'BGPv0hNxQE', 'y9Iv5XC42W', 'uHgvWmqc8U', 'zU2vZv9sUB'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csHigh entropy of concatenated method names: 'gvLhX3oBubUujS9vuYp', 'NLL83koyt6Wvt33yAhj', 'pgfZkkSeMY', 'vh0ry9Sq2v', 'tmJZg4Dl6V', 'bxiZD4WM21', 'IhOZ6o2txi', 'mOyZS55OA6', 'W6sek53ZPM', 'Uu9WcY71tn'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, U3E6RwN5SaPZeZUlErQ.csHigh entropy of concatenated method names: 'yJoNZ7E45S', 'm2sNvL1Jpg', 'CQmNKvbK7F', 'qaeN2NtOP8', 'iMXN1SIOn4', 'hyFNMf9N6a', 'Mk4N9wG0GL', 'jyTNIWn3VI', 'mxXNQrUQrd', 'kRONbW4oVv'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, o8P76yvvHV5KpUNsml7.csHigh entropy of concatenated method names: 'ogOQ0NcqVg', 'SAhQ5DjcbE', 'vjdQW9CUnK', 'kRLQZbCtQg', 'WEjQvXwYeL', 'QGfQKts7GH', 'JRuQ2fHKGZ', 'hT4vqP4jUa', 'dtRQ1ee6MW', 'CoWQMovtgf'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, BYp4U2Oe5wBDI4goG2T.csHigh entropy of concatenated method names: 'SAkbTlwEevfVN7OfceR', 'firsqowOpF5u7MyABPY', 'lC52Q4wnWMdK6pAtMIY', 'lI2Dh7wfSbAAVvtZHvc', 'IfrcE44OyD', 'eMvcO4ZytH', 'tptcceFFV9', 'QObcnPQgnZ', 'lJ8cfe8ReD', 'IekcCYmCMn'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, dSjLwOOBq5S8xcIDmvy.csHigh entropy of concatenated method names: 'CULufKTteJhl0RuNSew', 'oQVjUkTghxn2qQENTbW', 'Dispose', 'ToString', 'DXcMKrT6ieWNGruyEyf', 'jOEugUTStIEMcl8gjMd', 'QpGiTQhrZpHBs0vbm5Q', 'ssBPNmh8GL8a08qPsUB', 'SFcQmw7yx2', 'gl1QXQWNFG'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, cOa8qNtY5ahAXGWQgN.csHigh entropy of concatenated method names: 'mxADtipSP', 'eS364pa0w', 'LJ9Sp5Wfx', 'me6ahOsMX', 'pV9FcqTsZ', 'C5KqE8v3J', 'q1eiJDFX0', 'uZ0Onrt3u2', 'oQATxfFEE', 'yqoVgFGZX'
    Source: 5.3.Payment Summary 2025 11 2.exe.390d8550.0.raw.unpack, uC0hRMPfPBtRWtAg1mn.csHigh entropy of concatenated method names: 'bXlPP3Ncc7', 'TYjP7Ktb1S', 'yu2PNpEHJA', 'oVMPjQKEyI', 'DE0PGQ9Xi0', 'RZdPLFYhvs', 'qx9PRtiFVD', 't6hPmRQrOD', 'wyNPXVSrKq', 'aPWPue8diN'
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Users\user\AppData\Local\Temp\nsy34EB.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI/Special instruction interceptor: Address: 634F9B6
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI/Special instruction interceptor: Address: 488F9B6
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeRDTSC instruction interceptor: First address: 630DD4B second address: 630DD4B instructions: 0x00000000 rdtsc 0x00000002 cmp dl, cl 0x00000004 test bl, cl 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FBE7CBDAE09h 0x0000000a cmp ecx, edx 0x0000000c test edx, eax 0x0000000e inc ebp 0x0000000f cmp ecx, 3D413367h 0x00000015 inc ebx 0x00000016 cmp ah, FFFFFFE3h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeRDTSC instruction interceptor: First address: 484DD4B second address: 484DD4B instructions: 0x00000000 rdtsc 0x00000002 cmp dl, cl 0x00000004 test bl, cl 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FBE7CBEDE49h 0x0000000a cmp ecx, edx 0x0000000c test edx, eax 0x0000000e inc ebp 0x0000000f cmp ecx, 3D413367h 0x00000015 inc ebx 0x00000016 cmp ah, FFFFFFE3h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: 73B0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: 37BD0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: 37B10000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWindow / User API: threadDelayed 7972Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWindow / User API: threadDelayed 1857Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy34EB.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe TID: 1740Thread sleep time: -21213755684765971s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe TID: 1740Thread sleep time: -58000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_00402868 FindFirstFileW,5_2_00402868
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_004065C7 FindFirstFileW,FindClose,5_2_004065C7
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 5_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405996
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI call chain: ExitProcess graph end nodegraph_0-4912
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI call chain: ExitProcess graph end nodegraph_0-4915
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_6F951B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6F951B63
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeQueries volume information: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

    Stealing of Sensitive Information

    barindex
    Tries to harvest and steal Bitcoin Wallet information
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts41
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Disable or Modify Tools    		1
    OS Credential Dumping    		3
    File and Directory Discovery    		Remote Services11
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		Boot or Logon Initialization Scripts1
    Access Token Manipulation    		11
    Deobfuscate/Decode Files or Information    		LSASS Memory236
    System Information Discovery    		Remote Desktop Protocol1
    Data from Local System    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
    Process Injection    		2
    Obfuscated Files or Information    		Security Account Manager23
    Security Software Discovery    		SMB/Windows Admin Shares1
    Email Collection    		1
    Non-Standard Port    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Software Packing    		NTDS51
    Virtualization/Sandbox Evasion    		Distributed Component Object Model2
    Clipboard Data    		2
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    Application Window Discovery    		SSHKeylogging13
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
    Masquerading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items51
    Virtualization/Sandbox Evasion    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Access Token Manipulation    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
    Process Injection    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.