Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Summary 2025 11 2.exe

Overview

General Information

Sample name:Payment Summary 2025 11 2.exe
Analysis ID:1619000
MD5:6b654cb879dd6171a27f49ede0640dd0
SHA1:f3b604c42287475b70a3372ac271b083bf47d617
SHA256:4c4b1980eed21f43c792e2d1727b36c9a6cf04b7732250d4559ca4a2f341dda8
Tags:exeuser-TeamDreier
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected GuLoader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.4011728377.0000000039D30000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.3224497520.000000000597E000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: Payment Summary 2025 11 2.exe PID: 5532JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.Payment Summary 2025 11 2.exe.39d30000.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              10.2.Payment Summary 2025 11 2.exe.38d35570.5.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.29.10.35, DestinationIsIpv6: false, DestinationPort: 2525, EventID: 3, Image: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe, Initiated: true, ProcessId: 5532, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49990

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-19T13:03:43.718563+010028032702Potentially Bad Traffic192.168.2.649988142.250.184.206443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Payment Summary 2025 11 2.exeVirustotal: Detection: 35%Perma Link
                Source: Payment Summary 2025 11 2.exeReversingLabs: Detection: 24%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Payment Summary 2025 11 2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.6:49988 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.6:49989 version: TLS 1.2
                Source: Payment Summary 2025 11 2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_00402868 FindFirstFileW,10_2_00402868
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_004065C7 FindFirstFileW,FindClose,10_2_004065C7
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_00405996
                Source: global trafficTCP traffic: 192.168.2.6:49990 -> 185.29.10.35:2525
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49988 -> 142.250.184.206:443
                Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: drive.google.com
                Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                Source: Payment Summary 2025 11 2.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3309488355.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.0000000007658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.0000000007694000.00000004.00000020.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.3988743151.0000000009160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.0000000007694000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sjm
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3353328108.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3309488355.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=download
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.00000000076B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=downloada
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.00000000076B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1yib4SG1oMrk31TRhSrZqC1b5h2AZQ3sj&export=downloade
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3309488355.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3309488355.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3309488355.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3309488355.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3309488355.00000000076CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
                Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.6:49988 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.6:49989 version: TLS 1.2
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040542B

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Payment Summary 2025 11 2.exe
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_00403359
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\superaccomplishedJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\besvresJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\resources\0809Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Windows\resources\0809\sonnetizationJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00404C680_2_00404C68
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_0040698E0_2_0040698E
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_738B1B630_2_738B1B63
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_00404C6810_2_00404C68
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_0040698E10_2_0040698E
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_0743971810_2_07439718
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_0743110810_2_07431108
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_0743111810_2_07431118
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_37D1074010_2_37D10740
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_37D117E810_2_37D117E8
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_37D10A7710_2_37D10A77
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D612D810_2_39D612D8
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D848B010_2_39D848B0
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D894C810_2_39D894C8
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D89C1310_2_39D89C13
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D848A310_2_39D848A3
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D88D1F10_2_39D88D1F
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D88D2010_2_39D88D20
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D88CF110_2_39D88CF1
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D894BF10_2_39D894BF
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D8D45E10_2_39D8D45E
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D8970210_2_39D89702
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D8961F10_2_39D8961F
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: String function: 00402C41 appears 51 times
                Source: Payment Summary 2025 11 2.exe, 00000000.00000000.2108734301.000000000046A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekijev gitanos.exeL vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038E6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXxpwmhfkeb.dll" vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038F83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXxpwmhfkeb.dll" vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3356281062.0000000039DBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3356326196.0000000039DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4012018767.0000000039EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameXxpwmhfkeb.dll" vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000000.3214191175.000000000046A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekijev gitanos.exeL vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000003.3356343401.0000000039DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXxpwmhfkeb.dll" vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exeBinary or memory string: OriginalFilenamekijev gitanos.exeL vs Payment Summary 2025 11 2.exe
                Source: Payment Summary 2025 11 2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, YlMelZl4hpIy77SlH5C.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, YlMelZl4hpIy77SlH5C.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, YlMelZl4hpIy77SlH5C.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, YlMelZl4hpIy77SlH5C.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, YlMelZl4hpIy77SlH5C.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, YlMelZl4hpIy77SlH5C.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, MPDTZm31hDcORmv6RpR.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, MPDTZm31hDcORmv6RpR.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal96.troj.evad.winEXE@3/19@2/3
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_00403359
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046EC
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Program Files (x86)\lineamentationJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Users\user\kredseneJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMutant created: NULL
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMutant created: \Sessions\1\BaseNamedObjects\19cf617f23b5914f
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Users\user\AppData\Local\Temp\nsq81C.tmpJump to behavior
                Source: Payment Summary 2025 11 2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Payment Summary 2025 11 2.exeVirustotal: Detection: 35%
                Source: Payment Summary 2025 11 2.exeReversingLabs: Detection: 24%
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile read: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile written: C:\Users\user\kredsene\Regnbuehinden\gengivendes.iniJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Payment Summary 2025 11 2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038DD5000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4012096705.0000000039FF0000.00000004.08000000.00040000.00000000.sdmp, Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Yara detected GuLoader
                Source: Yara matchFile source: 00000000.00000002.3224497520.000000000597E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, YlMelZl4hpIy77SlH5C.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, YlMelZl4hpIy77SlH5C.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, NMK5lsyDpALGS9Gdbt.cs.Net Code: QNZ72Oppq System.AppDomain.Load(byte[])
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, WAOD5gcCEpDhSbJShGL.cs.Net Code: wVTsj2WE2F
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, WAOD5gcCEpDhSbJShGL.cs.Net Code: KvaEEs6b1g
                Source: 10.2.Payment Summary 2025 11 2.exe.38d857b0.6.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                Source: 10.2.Payment Summary 2025 11 2.exe.38d857b0.6.raw.unpack, ListDecorator.cs.Net Code: Read
                Source: 10.2.Payment Summary 2025 11 2.exe.38d857b0.6.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                Source: 10.2.Payment Summary 2025 11 2.exe.38d857b0.6.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                Source: 10.2.Payment Summary 2025 11 2.exe.38d857b0.6.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                Source: 10.2.Payment Summary 2025 11 2.exe.39ff0000.10.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                Source: 10.2.Payment Summary 2025 11 2.exe.39ff0000.10.raw.unpack, ListDecorator.cs.Net Code: Read
                Source: 10.2.Payment Summary 2025 11 2.exe.39ff0000.10.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                Source: 10.2.Payment Summary 2025 11 2.exe.39ff0000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                Source: 10.2.Payment Summary 2025 11 2.exe.39ff0000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                Source: 10.2.Payment Summary 2025 11 2.exe.38dd57d0.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                Source: 10.2.Payment Summary 2025 11 2.exe.38dd57d0.7.raw.unpack, ListDecorator.cs.Net Code: Read
                Source: 10.2.Payment Summary 2025 11 2.exe.38dd57d0.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                Source: 10.2.Payment Summary 2025 11 2.exe.38dd57d0.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                Source: 10.2.Payment Summary 2025 11 2.exe.38dd57d0.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                Yara detected Costura Assembly Loader
                Source: Yara matchFile source: 10.2.Payment Summary 2025 11 2.exe.39d30000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.Payment Summary 2025 11 2.exe.38d35570.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.4011728377.0000000039D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4011438294.0000000038D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Payment Summary 2025 11 2.exe PID: 5532, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_738B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_738B1B63
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_738B2FD0 push eax; ret 0_2_738B2FFE
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_07434C5E push eax; retf 10_2_07434C6D
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_37CB066C push es; retf 10_2_37CB0676
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_37D1B1CB push eax; iretd 10_2_37D1B1D1
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_37D1D0B0 pushad ; iretd 10_2_37D1D0B1
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_37D1D02C pushad ; iretd 10_2_37D1D02E
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D88838 push eax; iretw 10_2_39D88839
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D84030 push 6C37CF3Bh; retf 10_2_39D8403D
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D8D3F7 push edx; retf 10_2_39D8D403
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D87DF1 pushad ; iretd 10_2_39D87DF2
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D87DE9 pushad ; iretd 10_2_39D87DEA
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D845E0 pushfd ; iretd 10_2_39D845E1
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D84580 pushad ; iretd 10_2_39D84581
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D88453 push eax; iretd 10_2_39D88459
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D87E13 pushad ; iretd 10_2_39D87E1A
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D8C63E push BEFFFFFFh; ret 10_2_39D8C643
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D87E30 pushad ; iretd 10_2_39D87E3A
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_39D88633 push esp; iretd 10_2_39D88639
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_3A3128F2 pushfd ; ret 10_2_3A3128F3
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_3A313D13 push edi; ret 10_2_3A313D16
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_3A313519 push eax; retf 10_2_3A31351F
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_3A31594D push edi; ret 10_2_3A315953
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, eA78HTcp9I7VPlGhCB8.csHigh entropy of concatenated method names: 'pQGcEVTOaP', 'tsScakt6W0', 'OPXciRItPs', 'YimcRp3ke3', 'FivcBOeijo', 'rkmcyTPMmW', 'UjgcMxLQ72', 'mLic8YMicJ', 'skxckO5PeH', 'bsec7YOUXu'
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, YlMelZl4hpIy77SlH5C.csHigh entropy of concatenated method names: 'N0k2yOLaLPA5MTuEUj8', 'vePWayLiHd2xMRuyZlv', 'Divb0dY418', 'vh0ry9Sq2v', 'UUPb608reO', 'fZxbTr2RYJ', 'OPnb1AtiII', 'f0xbrCsNMU', 'lXYDapXZhX', 'QVLllpnHkY'
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, NMK5lsyDpALGS9Gdbt.csHigh entropy of concatenated method names: 'ASBefbdYd', 'wW1DHm1p5', 'bU0Fa8A2X', 'LARHe956f', 'P9i8Nl6tX', 'RkAkBU2KG', 'QNZ72Oppq', 'XWWC8vQOp', 'kjwLwBDe5', 'R8j9rXCXx'
                Source: 10.2.Payment Summary 2025 11 2.exe.38ec5ed0.2.raw.unpack, WAOD5gcCEpDhSbJShGL.csHigh entropy of concatenated method names: 'Kk9iakD0KY', 'RJyiinokS2', 'rbIiRNEDy2', 'hmwiBjgZ99', 'syLiy0WEaJ', 'YNviM9q7qE', 'cnui8M98Uv', 'cRlcrhhUvQ', 'YQFik2ODV2', 'OyKi7LvFWo'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, eA78HTcp9I7VPlGhCB8.csHigh entropy of concatenated method names: 'pQGcEVTOaP', 'tsScakt6W0', 'OPXciRItPs', 'YimcRp3ke3', 'FivcBOeijo', 'rkmcyTPMmW', 'UjgcMxLQ72', 'mLic8YMicJ', 'skxckO5PeH', 'bsec7YOUXu'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, YlMelZl4hpIy77SlH5C.csHigh entropy of concatenated method names: 'N0k2yOLaLPA5MTuEUj8', 'vePWayLiHd2xMRuyZlv', 'Divb0dY418', 'vh0ry9Sq2v', 'UUPb608reO', 'fZxbTr2RYJ', 'OPnb1AtiII', 'f0xbrCsNMU', 'lXYDapXZhX', 'QVLllpnHkY'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, CX8wTjQuFyOvYcYMmB5.csHigh entropy of concatenated method names: 'cublGMdY4I', 'BJS6EyLuxPkhW5TuwWI', 'wQE0KhLqCexGsUAZ4qr', 'xnPQ4gfpeR', 'NfeQ3ocsN0', 'HEQQlGOAHY', 'QZLQbhxN6t', 'cyKQcTO9cj', 'DvRQ5jIm9E', 'ATJcMj7kEULMluyJR1j'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, NMK5lsyDpALGS9Gdbt.csHigh entropy of concatenated method names: 'ASBefbdYd', 'wW1DHm1p5', 'bU0Fa8A2X', 'LARHe956f', 'P9i8Nl6tX', 'RkAkBU2KG', 'QNZ72Oppq', 'XWWC8vQOp', 'kjwLwBDe5', 'R8j9rXCXx'
                Source: 10.2.Payment Summary 2025 11 2.exe.39eb0000.9.raw.unpack, WAOD5gcCEpDhSbJShGL.csHigh entropy of concatenated method names: 'Kk9iakD0KY', 'RJyiinokS2', 'rbIiRNEDy2', 'hmwiBjgZ99', 'syLiy0WEaJ', 'YNviM9q7qE', 'cnui8M98Uv', 'cRlcrhhUvQ', 'YQFik2ODV2', 'OyKi7LvFWo'
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeFile created: C:\Users\user\AppData\Local\Temp\nsmBF5.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Payment Summary 2025 11 2.exe PID: 5532, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI/Special instruction interceptor: Address: 620F9B6
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI/Special instruction interceptor: Address: 488F9B6
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeRDTSC instruction interceptor: First address: 61CDD4B second address: 61CDD4B instructions: 0x00000000 rdtsc 0x00000002 cmp dl, cl 0x00000004 test bl, cl 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F26DCB54199h 0x0000000a cmp ecx, edx 0x0000000c test edx, eax 0x0000000e inc ebp 0x0000000f cmp ecx, 3D413367h 0x00000015 inc ebx 0x00000016 cmp ah, FFFFFFE3h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeRDTSC instruction interceptor: First address: 484DD4B second address: 484DD4B instructions: 0x00000000 rdtsc 0x00000002 cmp dl, cl 0x00000004 test bl, cl 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F26DC4F6E79h 0x0000000a cmp ecx, edx 0x0000000c test edx, eax 0x0000000e inc ebp 0x0000000f cmp ecx, 3D413367h 0x00000015 inc ebx 0x00000016 cmp ah, FFFFFFE3h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: 73F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: 37D30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: 378E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmBF5.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe TID: 1208Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe TID: 1208Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe TID: 2644Thread sleep count: 199 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe TID: 1208Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_00402868 FindFirstFileW,10_2_00402868
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_004065C7 FindFirstFileW,FindClose,10_2_004065C7
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 10_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_00405996
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeThread delayed: delay time: 35000Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeThread delayed: delay time: 35000Jump to behavior
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|Xen4win32_process.handle='{0}'
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.0000000007694000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnQ
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.00000000076B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.4009738029.0000000037DE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                Source: Payment Summary 2025 11 2.exe, 0000000A.00000002.3986652777.0000000007658000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI call chain: ExitProcess graph end nodegraph_0-4908
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeAPI call chain: ExitProcess graph end nodegraph_0-4911
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_738B1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_738B1B63
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeProcess created: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe "C:\Users\user\Desktop\Payment Summary 2025 11 2.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeQueries volume information: C:\Users\user\Desktop\Payment Summary 2025 11 2.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
                Source: C:\Users\user\Desktop\Payment Summary 2025 11 2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		12
                Masquerading                		OS Credential Dumping31
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                Process Injection                		1
                Disable or Modify Tools                		LSASS Memory31
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol1
                Clipboard Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Access Token Manipulation                		NTDS214
                System Information Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Process Injection                		LSA SecretsInternet Connection DiscoverySSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Deobfuscate/Decode Files or Information                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.