Windows Analysis Report
EPAYMENT.exe

Overview

General Information

Sample Name: EPAYMENT.exe
Analysis ID: 624181
MD5: 9811d64e29ef53e107f9379526cfd338
SHA1: b6e84580f902a0c3d3f77748a2a027c9fe42db68
SHA256: e94bcf64e3affd0a755df05fc1f8c7fba1fb98303e433edff4d98f75d1e4fdf8
Infos:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000A.00000002.230879622484.0000000000F90000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe"}
Multi AV Scanner detection for submitted file
Source: EPAYMENT.exe ReversingLabs: Detection: 17%
Uses 32bit PE files
Source: EPAYMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50459 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51082 version: TLS 1.2
Source: EPAYMENT.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\_GC3\SC\GC3.Service\GC3.Service.AppServiceBridge\GC3.Service.AppServiceBridge\obj\Release\ArmouryCrate.AppServiceBridge.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr
Source: Binary string: C:\Builds\78\N2\HO_NBR_g_2016_r_2016\Sources\NeroCMD\src\Release\NeroCmd.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405D74
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0040699E FindFirstFileW,FindClose, 2_2_0040699E
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0040290B FindFirstFileW, 2_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50730
Source: unknown Network traffic detected: HTTP traffic on port 50693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50745
Source: unknown Network traffic detected: HTTP traffic on port 50578 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50747
Source: unknown Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50741
Source: unknown Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50758
Source: unknown Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50752
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51319 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50762
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50761
Source: unknown Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50763
Source: unknown Network traffic detected: HTTP traffic on port 51320 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 51192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 51077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 50783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50591 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50701
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50704
Source: unknown Network traffic detected: HTTP traffic on port 50656 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50705
Source: unknown Network traffic detected: HTTP traffic on port 51065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50716
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50719
Source: unknown Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50718
Source: unknown Network traffic detected: HTTP traffic on port 50808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50721
Source: unknown Network traffic detected: HTTP traffic on port 51307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50720
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50729
Source: unknown Network traffic detected: HTTP traffic on port 50644 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50505 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51207
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51206
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51209
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51200
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51203
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51204
Source: unknown Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51201
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51202
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51218
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51216
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51211
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51214
Source: unknown Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51213
Source: unknown Network traffic detected: HTTP traffic on port 50923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50779
Source: unknown Network traffic detected: HTTP traffic on port 50911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50778
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50772
Source: unknown Network traffic detected: HTTP traffic on port 51025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50774
Source: unknown Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50607 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50789
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50780
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50786
Source: unknown Network traffic detected: HTTP traffic on port 51139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50785
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50792
Source: unknown Network traffic detected: HTTP traffic on port 51245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50797
Source: unknown Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50796
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50514 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51144
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51145
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51143
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51148
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51149
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51146
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51147
Source: unknown Network traffic detected: HTTP traffic on port 51176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51151
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51150
Source: unknown Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51155
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51156
Source: unknown Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51159
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51158
Source: unknown Network traffic detected: HTTP traffic on port 50755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51162
Source: unknown Network traffic detected: HTTP traffic on port 51347 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51160
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51161
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50502 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51165
Source: unknown Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51172
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51179
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51180
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51181
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51185
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51183
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50665 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51107
Source: unknown Network traffic detected: HTTP traffic on port 50424 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51101
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51105
Source: unknown Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51103
Source: unknown Network traffic detected: HTTP traffic on port 50731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51323 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51114
Source: unknown Network traffic detected: HTTP traffic on port 51269 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51128
Source: unknown Network traffic detected: HTTP traffic on port 51188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51129
Source: unknown Network traffic detected: HTTP traffic on port 51335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51127
Source: unknown Network traffic detected: HTTP traffic on port 51004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51125
Source: unknown Network traffic detected: HTTP traffic on port 50836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51130
Source: unknown Network traffic detected: HTTP traffic on port 50412 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50341 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51139
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51133
Source: unknown Network traffic detected: HTTP traffic on port 50689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51134
Source: unknown Network traffic detected: HTTP traffic on port 51242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51137
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51138
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51136
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51141
Source: unknown Network traffic detected: HTTP traffic on port 51270 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50517 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50448 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50461 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50529 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50473 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50660 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50530 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50436 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50659 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51188
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51189
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51187
Source: unknown Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51195
Source: unknown Network traffic detected: HTTP traffic on port 50542 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51196
Source: unknown Network traffic detected: HTTP traffic on port 50972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51194
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51199
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51197
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51198
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50554 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50647 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50859
Source: unknown Network traffic detected: HTTP traffic on port 50749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50851
Source: unknown Network traffic detected: HTTP traffic on port 51044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50867
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50868
Source: unknown Network traffic detected: HTTP traffic on port 50956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50862
Source: unknown Network traffic detected: HTTP traffic on port 50864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: audio-x-generic.png.2.dr String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: CasPol.exe, 0000000A.00000003.226083862941.0000000001139000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: CasPol.exe, 0000000A.00000003.226083862941.0000000001139000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EPAYMENT.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: EPAYMENT.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: EPAYMENT.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: EPAYMENT.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://s.symcd.com06
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://s2.symcb.com0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://sv.symcd.com0&
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: NeroCmd.exe.2.dr String found in binary or memory: http://www.nero.com
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228289426325.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880062647.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230470347663.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229376093740.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230469971603.000000001D768000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270745395.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375840195.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270745395.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/(
Source: CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/H
Source: CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375840195.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/X
Source: CasPol.exe, 0000000A.00000003.229376225178.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880171161.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230470532741.00000000010E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe
Source: CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exehttps://cdn.disco
Source: CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/973717070128771135/973718274879651920/divinbot_LnXMPAfP50.bin
Source: CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/lowedCert_AutoUpdate_1
Source: CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/soft
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: NeroCmd.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: EPAYMENT.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50459 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51082 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_00405809

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: EPAYMENT.exe
Executable has a suspicious name (potential lure to open the executable)
Source: EPAYMENT.exe Static file information: Suspicious name
Uses 32bit PE files
Source: EPAYMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00406D5F 2_2_00406D5F
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_6FE71BFF 2_2_6FE71BFF
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327A603 2_2_0327A603
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03286A40 2_2_03286A40
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_032881E3 2_2_032881E3
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03281767 2_2_03281767
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03281751 2_2_03281751
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_032813A8 2_2_032813A8
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327AFBF 2_2_0327AFBF
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03287BE2 2_2_03287BE2
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03286FE5 2_2_03286FE5
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03288E22 2_2_03288E22
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327CA07 2_2_0327CA07
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327DEBB 2_2_0327DEBB
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03289114 2_2_03289114
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327CD6C 2_2_0327CD6C
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03287558 2_2_03287558
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327DD58 2_2_0327DD58
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_032891B8 2_2_032891B8
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03278D88 2_2_03278D88
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327DDF0 2_2_0327DDF0
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327C9C4 2_2_0327C9C4
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03280453 2_2_03280453
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327DCB6 2_2_0327DCB6
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327DCBF 2_2_0327DCBF
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03281099 2_2_03281099
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F95489 10_2_00F95489
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93C3C 10_2_00F93C3C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9E213 10_2_00F9E213
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F91DD6 10_2_00F91DD6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9F9B6 10_2_00F9F9B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00FA08E7 10_2_00FA08E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93CC8 10_2_00F93CC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F940C2 10_2_00F940C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93CAA 10_2_00F93CAA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93EAE 10_2_00F93EAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93C9D 10_2_00F93C9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F95492 10_2_00F95492
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9568E 10_2_00F9568E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9886C 10_2_00F9886C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93C4E 10_2_00F93C4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F97C26 10_2_00F97C26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00FA05F5 10_2_00FA05F5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F941DA 10_2_00F941DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93DDE 10_2_00F93DDE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93BCF 10_2_00F93BCF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F955C3 10_2_00F955C3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9E7B8 10_2_00F9E7B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9F3B5 10_2_00F9F3B5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9419D 10_2_00F9419D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F92792 10_2_00F92792
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00FA098B 10_2_00FA098B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98B7B 10_2_00F98B7B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93F62 10_2_00F93F62
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9055B 10_2_00F9055B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9E94D 10_2_00F9E94D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9414E 10_2_00F9414E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98F3A 10_2_00F98F3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9453F 10_2_00F9453F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9ED2B 10_2_00F9ED2B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9552B 10_2_00F9552B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98F24 10_2_00F98F24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93D1A 10_2_00F93D1A
Contains functionality to call native functions
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0328A595 NtResumeThread, 2_2_0328A595
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_032881E3 NtAllocateVirtualMemory, 2_2_032881E3
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0328A00F NtProtectVirtualMemory, 2_2_0328A00F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9866D NtProtectVirtualMemory, 10_2_00F9866D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93C3C NtProtectVirtualMemory, 10_2_00F93C3C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00FA17E2 NtProtectVirtualMemory, 10_2_00FA17E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9F9B6 NtAllocateVirtualMemory, 10_2_00F9F9B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93CC8 NtProtectVirtualMemory, 10_2_00F93CC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F940C2 NtProtectVirtualMemory, 10_2_00F940C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93CAA NtProtectVirtualMemory, 10_2_00F93CAA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93EAE NtProtectVirtualMemory, 10_2_00F93EAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93C9D NtProtectVirtualMemory, 10_2_00F93C9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93C4E NtProtectVirtualMemory, 10_2_00F93C4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93DDE NtProtectVirtualMemory, 10_2_00F93DDE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93BCF NtProtectVirtualMemory, 10_2_00F93BCF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93F62 NtProtectVirtualMemory, 10_2_00F93F62
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9414E NtProtectVirtualMemory, 10_2_00F9414E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93D1A NtProtectVirtualMemory, 10_2_00F93D1A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98715 NtProtectVirtualMemory, 10_2_00F98715
Sample file is different than original file name gathered from version info
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArmouryCrate.AppServiceBridge.exeZ vs EPAYMENT.exe
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNeroCMD.exe vs EPAYMENT.exe
PE file contains strange resources
Source: EPAYMENT.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\EPAYMENT.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: EPAYMENT.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: libtclsqlite3.dll.2.dr Static PE information: Number of sections : 19 > 10
Source: EPAYMENT.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\EPAYMENT.exe File read: C:\Users\user\Desktop\EPAYMENT.exe Jump to behavior
Source: EPAYMENT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EPAYMENT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\EPAYMENT.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Users\user\Desktop\EPAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Users\user\Desktop\EPAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EPAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe" Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe" Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403640
Source: C:\Users\user\Desktop\EPAYMENT.exe File created: C:\Users\user\AppData\Local\Temp\nss2F5C.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@7/10@1/1
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_004021AA CoCreateInstance, 2_2_004021AA
Source: C:\Users\user\Desktop\EPAYMENT.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 2_2_00404AB5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:304:WilStaging_02
Source: EPAYMENT.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\_GC3\SC\GC3.Service\GC3.Service.AppServiceBridge\GC3.Service.AppServiceBridge\obj\Release\ArmouryCrate.AppServiceBridge.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr
Source: Binary string: C:\Builds\78\N2\HO_NBR_g_2016_r_2016\Sources\NeroCMD\src\Release\NeroCmd.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000A.00000002.230879622484.0000000000F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.225982150371.0000000000F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.226641346384.0000000003278000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_6FE730C0 push eax; ret 2_2_6FE730EE
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327ABBD push eax; iretd 2_2_0327ABC5
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327B386 push ecx; retf 2_2_0327B39F
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327BD4C push ebx; iretd 2_2_0327BD4B
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327BC36 push ebx; iretd 2_2_0327BD4B
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327BC0F push ebx; iretd 2_2_0327BD4B
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327C8A0 push cs; retf 2_2_0327C8A1
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327BCBD push ebx; iretd 2_2_0327BD4B
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03279496 push esp; iretd 2_2_03279498
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_032794CD pushad ; iretd 2_2_032794CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93AA3 push edi; retn 4FC9h 10_2_00F93A89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F90CA0 pushad ; iretd 10_2_00F90CA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93490 push ebx; iretd 10_2_00F9351E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F90C69 push esp; iretd 10_2_00F90C6B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93409 push ebx; iretd 10_2_00F9351E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F933E2 push ebx; iretd 10_2_00F9351E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F92390 push eax; iretd 10_2_00F92398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F92B59 push ecx; retf 10_2_00F92B72
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9351F push ebx; iretd 10_2_00F9351E
PE file contains sections with non-standard names
Source: NeroCmd.exe.2.dr Static PE information: section name: .shared
Source: libtclsqlite3.dll.2.dr Static PE information: section name: .xdata
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /4
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /19
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /31
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /45
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /57
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /70
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /81
Source: libtclsqlite3.dll.2.dr Static PE information: section name: /92
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_6FE71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_6FE71BFF
Drops PE files
Source: C:\Users\user\Desktop\EPAYMENT.exe File created: C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe File created: C:\Users\user\AppData\Local\Temp\NeroCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe File created: C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe File created: C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\LangDLL.dll Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe File created: C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\EPAYMENT.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=\A1.EXEHTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/973717070128771135/973717952987820073/A1.EXEHTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/973717070128771135/973718274879651920/DIVINBOT_LNXMPAFP50.BIN
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEL
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7184 Thread sleep time: -15510000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\EPAYMENT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NeroCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327807D rdtsc 2_2_0327807D
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 1551 Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405D74
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0040699E FindFirstFileW,FindClose, 2_2_0040699E
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0040290B FindFirstFileW, 2_2_0040290B
Source: C:\Users\user\Desktop\EPAYMENT.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\EPAYMENT.exe API call chain: ExitProcess graph end node
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=\a1.exehttps://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exehttps://cdn.discordapp.com/attachments/973717070128771135/973718274879651920/divinbot_LnXMPAfP50.bin
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWl\
Source: CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880062647.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230470347663.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229376093740.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exel
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_6FE71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_6FE71BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0327807D rdtsc 2_2_0327807D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03280F42 mov eax, dword ptr fs:[00000030h] 2_2_03280F42
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_032812A1 mov eax, dword ptr fs:[00000030h] 2_2_032812A1
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_032812A3 mov eax, dword ptr fs:[00000030h] 2_2_032812A3
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03280E9A mov eax, dword ptr fs:[00000030h] 2_2_03280E9A
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_0328112F mov ebx, dword ptr fs:[00000030h] 2_2_0328112F
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03289114 mov eax, dword ptr fs:[00000030h] 2_2_03289114
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03287558 mov eax, dword ptr fs:[00000030h] 2_2_03287558
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03287DB4 mov eax, dword ptr fs:[00000030h] 2_2_03287DB4
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03281099 mov ebx, dword ptr fs:[00000030h] 2_2_03281099
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_03281099 mov eax, dword ptr fs:[00000030h] 2_2_03281099
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9866D mov eax, dword ptr fs:[00000030h] 10_2_00F9866D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F93C3C mov eax, dword ptr fs:[00000030h] 10_2_00F93C3C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00FA08E7 mov eax, dword ptr fs:[00000030h] 10_2_00FA08E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98A74 mov eax, dword ptr fs:[00000030h] 10_2_00F98A74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98A76 mov eax, dword ptr fs:[00000030h] 10_2_00F98A76
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9886C mov ebx, dword ptr fs:[00000030h] 10_2_00F9886C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9886C mov eax, dword ptr fs:[00000030h] 10_2_00F9886C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9F587 mov eax, dword ptr fs:[00000030h] 10_2_00F9F587
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F9ED2B mov eax, dword ptr fs:[00000030h] 10_2_00F9ED2B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98715 mov eax, dword ptr fs:[00000030h] 10_2_00F98715
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_00F98902 mov ebx, dword ptr fs:[00000030h] 10_2_00F98902
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\EPAYMENT.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\EPAYMENT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: F90000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\EPAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe" Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe" Jump to behavior
Source: C:\Users\user\Desktop\EPAYMENT.exe Code function: 2_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403640
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624181 Sample: EPAYMENT.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 88 28 cdn.discordapp.com 2->28 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected GuLoader 2->36 38 4 other signatures 2->38 8 EPAYMENT.exe 1 26 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 8->22 dropped 24 C:\Users\user\AppData\...\libtclsqlite3.dll, PE32+ 8->24 dropped 26 2 other files (none is malicious) 8->26 dropped 40 Writes to foreign memory regions 8->40 42 Tries to detect Any.run 8->42 12 CasPol.exe 9 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 30 cdn.discordapp.com 162.159.129.233, 443, 49760, 49761 CLOUDFLARENETUS United States 12->30 44 Tries to detect Any.run 12->44 18 conhost.exe 12->18         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.129.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.129.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe false
    		high