Edit tour

Windows Analysis Report
EPAYMENT.exe

Overview

General Information

Sample Name:	EPAYMENT.exe
Analysis ID:	624181
MD5:	9811d64e29ef53e107f9379526cfd338
SHA1:	b6e84580f902a0c3d3f77748a2a027c9fe42db68
SHA256:	e94bcf64e3affd0a755df05fc1f8c7fba1fb98303e433edff4d98f75d1e4fdf8
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

EPAYMENT.exe (PID: 1976 cmdline: "C:\Users\user\Desktop\EPAYMENT.exe" MD5: 9811D64E29EF53E107F9379526CFD338)

CasPol.exe (PID: 2376 cmdline: "C:\Users\user\Desktop\EPAYMENT.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)

CasPol.exe (PID: 6908 cmdline: "C:\Users\user\Desktop\EPAYMENT.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.230879622484.0000000000F90000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000A.00000000.225982150371.0000000000F90000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.226641346384.0000000003278000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000A.00000002.230879622484.0000000000F90000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe"}

Multi AV Scanner detection for submitted file

Source: EPAYMENT.exe

ReversingLabs: Detection: 17%

Source: EPAYMENT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50459 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51082 version: TLS 1.2

Source: EPAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\_GC3\SC\GC3.Service\GC3.Service.AppServiceBridge\GC3.Service.AppServiceBridge\obj\Release\ArmouryCrate.AppServiceBridge.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr
Source:	Binary string: C:\Builds\78\N2\HO_NBR_g_2016_r_2016\Sources\NeroCMD\src\Release\NeroCmd.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0040290B FindFirstFileW,

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50730
Source: unknown	Network traffic detected: HTTP traffic on port 50693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50745
Source: unknown	Network traffic detected: HTTP traffic on port 50578 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50747
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50741
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50758
Source: unknown	Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50752
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50762
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50761
Source: unknown	Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50763
Source: unknown	Network traffic detected: HTTP traffic on port 51320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 51192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 51077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 50783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50591 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50704
Source: unknown	Network traffic detected: HTTP traffic on port 50656 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50705
Source: unknown	Network traffic detected: HTTP traffic on port 51065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50716
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50719
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50718
Source: unknown	Network traffic detected: HTTP traffic on port 50808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50721
Source: unknown	Network traffic detected: HTTP traffic on port 51307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50720
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50729
Source: unknown	Network traffic detected: HTTP traffic on port 50644 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51204
Source: unknown	Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51202
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51214
Source: unknown	Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51213
Source: unknown	Network traffic detected: HTTP traffic on port 50923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50779
Source: unknown	Network traffic detected: HTTP traffic on port 50911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50778
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50772
Source: unknown	Network traffic detected: HTTP traffic on port 51025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50774
Source: unknown	Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50789
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50786
Source: unknown	Network traffic detected: HTTP traffic on port 51139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50785
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50792
Source: unknown	Network traffic detected: HTTP traffic on port 51245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50797
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50796
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50514 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51143
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51147
Source: unknown	Network traffic detected: HTTP traffic on port 51176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51152
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51150
Source: unknown	Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51156
Source: unknown	Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51159
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51158
Source: unknown	Network traffic detected: HTTP traffic on port 50755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51162
Source: unknown	Network traffic detected: HTTP traffic on port 51347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51160
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51161
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50502 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51165
Source: unknown	Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51172
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51179
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51181
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51185
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51183
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51107
Source: unknown	Network traffic detected: HTTP traffic on port 50424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51101
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51105
Source: unknown	Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51103
Source: unknown	Network traffic detected: HTTP traffic on port 50731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51114
Source: unknown	Network traffic detected: HTTP traffic on port 51269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51128
Source: unknown	Network traffic detected: HTTP traffic on port 51188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51129
Source: unknown	Network traffic detected: HTTP traffic on port 51335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51127
Source: unknown	Network traffic detected: HTTP traffic on port 51004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51125
Source: unknown	Network traffic detected: HTTP traffic on port 50836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51130
Source: unknown	Network traffic detected: HTTP traffic on port 50412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51133
Source: unknown	Network traffic detected: HTTP traffic on port 50689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51134
Source: unknown	Network traffic detected: HTTP traffic on port 51242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51140
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51141
Source: unknown	Network traffic detected: HTTP traffic on port 51270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50517 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50461 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50529 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50473 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50530 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51187
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51195
Source: unknown	Network traffic detected: HTTP traffic on port 50542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51196
Source: unknown	Network traffic detected: HTTP traffic on port 50972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51194
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51198
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50554 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50859
Source: unknown	Network traffic detected: HTTP traffic on port 50749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50851
Source: unknown	Network traffic detected: HTTP traffic on port 51044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50867
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50868
Source: unknown	Network traffic detected: HTTP traffic on port 50956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50862
Source: unknown	Network traffic detected: HTTP traffic on port 50864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: audio-x-generic.png.2.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: CasPol.exe, 0000000A.00000003.226083862941.0000000001139000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: CasPol.exe, 0000000A.00000003.226083862941.0000000001139000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EPAYMENT.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: EPAYMENT.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: EPAYMENT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: EPAYMENT.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://s2.symcb.com0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://sv.symcd.com0&
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: NeroCmd.exe.2.dr	String found in binary or memory: http://www.nero.com
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228289426325.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880062647.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230470347663.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229376093740.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230469971603.000000001D768000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270745395.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375840195.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270745395.000000000117E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/(
Source: CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/H
Source: CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375840195.000000000117E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/X
Source: CasPol.exe, 0000000A.00000003.229376225178.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880171161.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230470532741.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe
Source: CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exehttps://cdn.disco
Source: CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/973717070128771135/973718274879651920/divinbot_LnXMPAfP50.bin
Source: CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/lowedCert_AutoUpdate_1
Source: CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/soft
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NeroCmd.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: EPAYMENT.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:50459 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:51082 version: TLS 1.2

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: EPAYMENT.exe

Executable has a suspicious name (potential lure to open the executable)

Source: EPAYMENT.exe

Static file information: Suspicious name

Source: EPAYMENT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_00406D5F
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_6FE71BFF
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327A603
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03286A40
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_032881E3
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03281767
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03281751
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_032813A8
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327AFBF
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03287BE2
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03286FE5
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03288E22
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327CA07
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327DEBB
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03289114
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327CD6C
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03287558
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327DD58
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_032891B8
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03278D88
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327DDF0
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327C9C4
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03280453
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327DCB6
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327DCBF
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03281099
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F95489
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93C3C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9E213
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F91DD6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9F9B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00FA08E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93CC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F940C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93CAA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93EAE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93C9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F95492
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9568E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9886C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93C4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F97C26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00FA05F5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F941DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93DDE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93BCF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F955C3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9E7B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9F3B5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9419D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F92792
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00FA098B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98B7B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93F62
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9055B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9E94D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9414E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98F3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9453F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9ED2B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9552B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98F24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93D1A

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0328A595 NtResumeThread,
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_032881E3 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0328A00F NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9866D NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93C3C NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00FA17E2 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9F9B6 NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93CC8 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F940C2 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93CAA NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93EAE NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93C9D NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93C4E NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93DDE NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93BCF NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93F62 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9414E NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93D1A NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98715 NtProtectVirtualMemory,

Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArmouryCrate.AppServiceBridge.exeZ vs EPAYMENT.exe
Source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNeroCMD.exe vs EPAYMENT.exe

Source: EPAYMENT.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\EPAYMENT.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll

Source: EPAYMENT.exe

Static PE information: invalid certificate

Source: libtclsqlite3.dll.2.dr

Static PE information: Number of sections : 19 > 10

Source: EPAYMENT.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\EPAYMENT.exe

File read: C:\Users\user\Desktop\EPAYMENT.exe

Jump to behavior

Source: EPAYMENT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EPAYMENT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\EPAYMENT.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Users\user\Desktop\EPAYMENT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Users\user\Desktop\EPAYMENT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EPAYMENT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Users\user\Desktop\EPAYMENT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"

Source: C:\Users\user\Desktop\EPAYMENT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\EPAYMENT.exe

File created: C:\Users\user\AppData\Local\Temp\nss2F5C.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@7/10@1/1

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_004021AA CoCreateInstance,

Source: C:\Users\user\Desktop\EPAYMENT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:304:WilStaging_02

Source: EPAYMENT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\_GC3\SC\GC3.Service\GC3.Service.AppServiceBridge\GC3.Service.AppServiceBridge\obj\Release\ArmouryCrate.AppServiceBridge.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, ArmouryCrate.AppServiceBridge.exe.2.dr
Source:	Binary string: C:\Builds\78\N2\HO_NBR_g_2016_r_2016\Sources\NeroCMD\src\Release\NeroCmd.pdb source: EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000A.00000002.230879622484.0000000000F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.225982150371.0000000000F90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.226641346384.0000000003278000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_6FE730C0 push eax; ret
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327ABBD push eax; iretd
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327B386 push ecx; retf
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327BD4C push ebx; iretd
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327BC36 push ebx; iretd
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327BC0F push ebx; iretd
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327C8A0 push cs; retf
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0327BCBD push ebx; iretd
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03279496 push esp; iretd
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_032794CD pushad ; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93AA3 push edi; retn 4FC9h
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F90CA0 pushad ; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93490 push ebx; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F90C69 push esp; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93409 push ebx; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F933E2 push ebx; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F92390 push eax; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F92B59 push ecx; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9351F push ebx; iretd

Source: NeroCmd.exe.2.dr	Static PE information: section name: .shared
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: .xdata
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /4
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /19
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /31
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /45
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /57
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /70
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /81
Source: libtclsqlite3.dll.2.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_6FE71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\NeroCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	File created: C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\EPAYMENT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\EPAYMENT.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\EPAYMENT.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=\A1.EXEHTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/973717070128771135/973717952987820073/A1.EXEHTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/973717070128771135/973718274879651920/DIVINBOT_LNXMPAFP50.BIN
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEL
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7184

Thread sleep time: -15510000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\EPAYMENT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NeroCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EPAYMENT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_0327807D rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Window / User API: threadDelayed 1551

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0040290B FindFirstFileW,

Source: C:\Users\user\Desktop\EPAYMENT.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\EPAYMENT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\EPAYMENT.exe	API call chain: ExitProcess graph end node

Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=\a1.exehttps://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exehttps://cdn.discordapp.com/attachments/973717070128771135/973718274879651920/divinbot_LnXMPAfP50.bin
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl\
Source: CasPol.exe, 0000000A.00000003.229375400377.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880062647.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230470347663.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193381653.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229376093740.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737246914.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228288864628.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880532797.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226381874559.0000000001127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exel
Source: EPAYMENT.exe, 00000002.00000002.226641583193.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: EPAYMENT.exe, 00000002.00000002.226639359815.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: EPAYMENT.exe, 00000002.00000002.226641985094.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000A.00000002.230881554160.0000000002F19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_6FE71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Source: C:\Users\user\Desktop\EPAYMENT.exe

Code function: 2_2_0327807D rdtsc

Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03280F42 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_032812A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_032812A3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03280E9A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_0328112F mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03289114 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03287558 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03287DB4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03281099 mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\EPAYMENT.exe	Code function: 2_2_03281099 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9866D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F93C3C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00FA08E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98A74 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98A76 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9886C mov ebx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9886C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9F587 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F9ED2B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98715 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 10_2_00F98902 mov ebx, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\EPAYMENT.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EPAYMENT.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: F90000

Source: C:\Users\user\Desktop\EPAYMENT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"
Source: C:\Users\user\Desktop\EPAYMENT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\EPAYMENT.exe"

Source: C:\Users\user\Desktop\EPAYMENT.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	12 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Access Token Manipulation	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	12 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	4 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EPAYMENT.exe	17%	ReversingLabs	Win32.Trojan.Nemesis

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\NeroCmd.exe	5%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\NeroCmd.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\LangDLL.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	1%	Virustotal		Browse
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	1%	Virustotal		Browse
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.129.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/lowedCert_AutoUpdate_1	CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	EPAYMENT.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/(	CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270745395.000000000117E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/H	CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://creativecommons.org/licenses/by-sa/4.0/	audio-x-generic.png.2.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	false		high
http://ocsp.sectigo.com0	EPAYMENT.exe	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	EPAYMENT.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/973717070128771135/973718274879651920/divinbot_LnXMPAfP50.bin	CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.nero.com	NeroCmd.exe.2.dr	false		high
https://cdn.discordapp.com/soft	CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	EPAYMENT.exe	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/X	CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375840195.000000000117E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/	CasPol.exe, 0000000A.00000002.230880978804.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227737647233.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228289426325.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.226382263087.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.230880062647.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230470347663.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229376093740.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270370287.0000000001127000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.230469971603.000000001D768000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.228270745395.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.229375840195.000000000117E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.227193804340.000000000117E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	EPAYMENT.exe	false		high
https://cdn.discordapp.com/attachments/973717070128771135/973717952987820073/a1.exehttps://cdn.disco	CasPol.exe, 0000000A.00000002.230881211263.00000000012D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	EPAYMENT.exe, 00000002.00000002.226640259314.000000000292D000.00000004.00000800.00020000.00000000.sdmp, NeroCmd.exe.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.129.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	624181
Start date and time: 11/05/202210:24:41	2022-05-11 10:24:41 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	EPAYMENT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@7/10@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 26.3% (good quality ratio 25.9%) Quality average: 88.6% Quality standard deviation: 21.6%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, wdcpalt.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:27:12	API Interceptor	1558x Sleep call for process: CasPol.exe modified

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23272
Entropy (8bit):	6.162753529320517
Encrypted:	false
SSDEEP:	384:VHgV9NMVOQA17TvjHj9vtqM1J/FMPjbyJ5WMQJK2wKucYUyGJhHH:VADCVc7ZFHF6juJ5D2X9DJhH
MD5:	19E44C0A8284EFB1E82BD1BB2ACC8EB1
SHA1:	1321814D12BA3FB035071BFB036F762E14824A85
SHA-256:	80F180CEC8BB6E524E7A3D5B9858020AF99869EDABFAD1F594A62DD246F1194E
SHA-512:	7531A6EED220BD1AA1C92E33B35D9D2CE824B75D007C8D581A030EE52EEECA0ADDECE6B6352FE77BE2146EF7F247E65C70ACE344B2296FAB1939046D783F427F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........."...0..0..........&N... ...`....@.. ....................................`..................................M..O....`..L............<...............L............................................... ............... ..H............text...,.... ...0.................. ..`.rsrc...L....`.......2..............@..@.reloc...............:..............@..B.................N......H........1...............................................................0.............(...+.@...................s........(........o........s....%o....&%o........o..........o.........,...o.........,...o.......&.....9d...s.........o.......o......o......+. ....(......o....,...o........:......(..........o .....+. ....(......o....,...o!.......o"...:......o#...r...po$...,...o#...r...po%.........+. .......o#...r...po$...,}..o#...r...po%...t....(....o........(.........j ....jo&.....

C:\Users\user\AppData\Local\Temp\NeroCmd.exe

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	215928
Entropy (8bit):	5.786985951434551
Encrypted:	false
SSDEEP:	3072:vMYGi18N39JYhuryGeqD01AYy5WKKB0vO9/s7oJfhLndhh9vCEyBinlYNZTy7F9Z:vRuryGpoksksnTSvM
MD5:	D74AB8F08D67A289D01DEFC064BFCDA9
SHA1:	FD407C22AE7E90CA599A5B6150AD2E256750400F
SHA-256:	FC26BCD62EDF699C82D67A354F223430F9CD9844189A0933D3402A2BAC4C2005
SHA-512:	119E680A65FE50636BE199A5ED203FFFDD22C4FA1B75BA92DF536951B5002A907FE404F3BB548AB39BC5E54D34E1547FBAAE988147D80790CDFC4382E5F803A3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 5%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(...{...{...{H=X{...{H=[{...{H=^{...{H=Z{...{...{...{.f>{...{{.Z{...{..^{...{...{...{..Z{...{..\{...{..Y{...{Rich...{................PE..L....W.V.............................u............@..........................p.......c....@..........................................@..................x3...P......@...8...............................@............................................text...;........................... ..`.rdata..rb.......d..................@..@.data...............................@....shared......0......................@....rsrc........@......................@..@.reloc..R....P......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Nysene7.Bru4

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	78447
Entropy (8bit):	6.497483193133565
Encrypted:	false
SSDEEP:	1536:brvB0TYtiX9UmRWO38QRb17dFiGBdaB0CgzFkkv7j1nn:/vYLA7ab1Xp3aB0CIq2B
MD5:	BA4672E4475BDC8152DBD5DF6605682C
SHA1:	A808B14BC9935E47495E721B75B0241E84084769
SHA-256:	73C68FE84E10437CEF3CB3E7159CB81913E622FCAA04A3D5A8751DEBAF70881B
SHA-512:	DF503DEC8D30269C491C0B699228D35B5D26C707B36F6F553882F290560E5346793F0D2A041BF0685CA7B42B1421CF71FFDD1197FF192DD3275342E91AC34F6E
Malicious:	false
Reputation:	low
Preview:	......Hm....................................-[..N...........................................f.f..,.).x8888888888888888888888888888888888888888_......'.2P.HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH<..t....'...n.....................................f......*j%.C...........................................2H.................................................<A.........@/h222222222222222222222222222222222222222222<......7.8}!...................................................1..e......cl;................................`..0...njjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj..~....5..$/.....................................................+]4w........................................<{......8Y.".iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii..Y......................................................4...... ..K1..................................q....W.;IIIIIIIIIIIIIIIIIIIIIIIIIII.........5.X.~..................................................4$.....c...4...d.......................................

C:\Users\user\AppData\Local\Temp\a1.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	XML 1.0 document text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	4.745008847905136
Encrypted:	false
SSDEEP:	6:TM3i0b9ZjZvKtWRbtmdsfbPAxjqm1bANKvn:TM3i0b9BZKtWRbtmdsfbPAxjqSkNKv
MD5:	A6A676051F857D516F6C4BEC595A7CFB
SHA1:	10E7C48A109FFBE60FA7AB3585C4BD711942CBD2
SHA-256:	98686E602B5F75BBCEB801CA315617579AD9FFE9E2DF66D49673EA35A7E1F343
SHA-512:	DF302B28E5897BAC668AD1AE2B32D2424AF7C8CDF4527AC54EA268E6E9FBF41EFE28B236AF25CEACB5E5ACD95B6C99B8CF95FA735687358A265BD59E2B127BA6
Malicious:	false
Preview:	<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>

C:\Users\user\AppData\Local\Temp\audio-x-generic.png

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	857
Entropy (8bit):	7.4319481758097155
Encrypted:	false
SSDEEP:	12:6v/7wtZB4RO4HE+swFIP2sdDYJYRelujZwNjCitHn9q+kfbtvMy+3HgZUh2:Xtk15/OmYRe7CitH9qPbtv83HgZU2
MD5:	CA015E7C4B05BD9FB87AF3772AD92E5C
SHA1:	E31B3BF7D29D3185FCE5A5E36D54DD804FB74564
SHA-256:	F7C132E53160C6A7CC9A79CB74DCCC3762C4A96BB4987B6E1A8755A270905976
SHA-512:	FFF2A7B0878F32C4D21FA0512FC5606611CB9726DDCE5C4542470AC6E2AC7A6CB31B38E5E27CEA750165ED0E7DFF7EC3814EB06A5AC059B1D9B81A523ADF2243
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....pHYs..........+......tEXtSoftware.www.inkscape.org..<.....tEXtTitle.Adwaita Icon Template...?....tEXtAuthor.GNOME Design Team`.v~...RtEXtCopyright.CC Attribution-ShareAlike http://creativecommons.org/licenses/by-sa/4.0/.Tb....-IDAT8...?hTA....v.K.wG...c..@H. .......F-$...J...2(Vj!..b.....$E.s.\.......X......r...7...Yjg..[.YE..U..tnv.X.....J.......].!.....I.AA.......w7..{ V..\..F.Th..g...~}...D....... >..{...q....E..u{.D....W....03#..!PS..........bfk.fex.2.r_..x.1.`K@.9..........U..9..@......]6Wg..WG....2\|.)..I..21.a...>1946<.K...kH..}.(.....U.}=.LzP..P..L$H....`e.._B...lbT.w.T<.A...5......9`..!.7p..7..8..)...8`.f. .K.1c.~.h.G=k.a3...j,.h....?.6#..l...(....D.!b.7...o.f.....V7.s7Q..n.S[.n.K..]@....K?5....(....;.{.{ >....+.Wj/............x.R......_..O5........IEND.B`.

C:\Users\user\AppData\Local\Temp\camera-photo.png

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	764
Entropy (8bit):	7.7061001591040155
Encrypted:	false
SSDEEP:	12:6v/7UuL/1leVdkTaP4LAtxU5Tslf/4qlgOa9WG6q9STu/Z4E5sJekNLo21VPulL4:7uL/zCkTaHt/lf/4rxMG6G7sJbcuP7
MD5:	649C9AB161501E1AA88B3D32C4F71023
SHA1:	A916E4161B6A0F11F0DA539EEEF4513E5FB08FE2
SHA-256:	D69CFE54FF9E3249DA241654FFA768D23E52297E7459FE61662C4129850D16AF
SHA-512:	8F1C8215B98C5488B53DB538E7980F82CC9C4B0A872DFD23E63412B50B629F08DB2D085E8B7A15A0BEE5527560708917D4D2B4D6C794C3D352DE056AB2F57E21
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.....dW.@.{.0...m.VX.q...V....m..5.{o9A}.k.+.P(..P..=....:.....2.e.!.k..v..#GV,^....TVV..l...o..l."..."....G..@y...t:...Pq......9.i.X,.TU..p.A2.......].:333.....X&g........y.8....;..{p{.TUU.k.S3.:..`..O?.Lh..W...05....m.6$rU._S].7.DeE9R~zf.C.9~..n....T1......>..^..5..c.y..\|..as:....KJP)p.....p.5. ....v$9..(.n..+.....&.........BU...D...&....$.......x....<..+........p(D.....%.I....zm1..t#>.._.....Y.. ..0.d.........`bb....d..C..Q..+.....R_WGbh.F..d`X.j.eee....#.L.I.h*C1V.....jkk..o9.......E9z.8S.c.....D..#-...Y.\|..d.2.G.W.....}.O..........f.....O......q.q.\.....X.f..\......X./r2w...Q.:M..K.n..I(..Y...OX.b.Z.A.y..I.R.v.2....x.......;.<'`).4........~..B>.QE"....IEND.B`.

C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	172061
Entropy (8bit):	5.423536082857285
Encrypted:	false
SSDEEP:	1536:cRG/dDih4WuPLfJ0NJ/OdJLpppxejxgE2h7iK9nXHe2n0S0uf44PO:JkeEOJLpppm6N0Sr4aO
MD5:	97F6D21CE726247E03A03D7F03D0A847
SHA1:	4D94D170078B3422E410D5E6DE3DCA74CB7E6457
SHA-256:	9E81CE570879BC87D332989561234AD5BB8BDA62D30A320A76A4373863BF6012
SHA-512:	983E78C81AD69F52E4594D19BB3D1BC06C55DE54E2569290566185934B184B4F81D13F80ABBBDE749894599E7071CE52935988CD527BF21C9CE246914AE9C0DF
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...`L.`..........& ...$............P.....................................................`... ......................................0.......@..................h...............................................(....................D...............................text..............................`.P`.data...`...........................@.`..rdata..............................@.`@.pdata..h...........................@.0@.xdata..............................@.0@.bss....0.... ........................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....X....`......................@.@..tls.........p......................@.@..reloc..............................@.0B/4..................................@.PB/19.....C...........................@..B/31.......... ......................@..B/45..........@... ..................@..B/57.....

C:\Users\user\AppData\Local\Temp\list-drag-handle-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	624
Entropy (8bit):	3.5629799376743088
Encrypted:	false
SSDEEP:	12:t4CDqKIUMUMfUMUMK5UM4IIUMUMfUMUMK5UM4JIUMUMfUMUMK5UM4IIUMUMfUMUo:t4CVI55f55U5rI55f55U5sI55f55U5rs
MD5:	1BA333F3E126D8A83CA3C6FCFB71FBC8
SHA1:	D54F87C1937D6A08455C903B4E60F6B390A9C583
SHA-256:	7DEC55F99B6FA48395B801EDE687C47330E79C4045F48B7AF673FB259F29FF32
SHA-512:	AA2E2E617E28925B3C69C25E9CD87073D7346544CFDA1B106D4A2198818F82895355B4F8FA6EF98242730565153C1EF3BDBDAF63864A3F186171AB81E3DE342A
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M4.494 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm6 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm-6 6a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm6 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm-6 6a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm6 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5z" fill="#2e3436"/></svg>

C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.81812520226775
Encrypted:	false
SSDEEP:	48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L
MD5:	68B287F4067BA013E34A1339AFDB1EA8
SHA1:	45AD585B3CC8E5A6AF7B68F5D8269C97992130B3
SHA-256:	18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
SHA-512:	06C38BBB07FB55256F3CDC24E77B3C8F3214F25BFD140B521A39D167113BF307A7E8D24E445D510BC5E4E41D33C9173BB14E3F2A38BC29A0E3D08C1F0DCA4BDB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....Oa...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\EPAYMENT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.93430870701767
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EPAYMENT.exe
File size:	384544
MD5:	9811d64e29ef53e107f9379526cfd338
SHA1:	b6e84580f902a0c3d3f77748a2a027c9fe42db68
SHA256:	e94bcf64e3affd0a755df05fc1f8c7fba1fb98303e433edff4d98f75d1e4fdf8
SHA512:	c6846c98cdd741f95273166b88081709125ce4e7f25ea7ab5841fdbb147cc29663ab7a881f059cc8e54735ab2ef680998ae59c8bcbd0a3b6e4f7629abf54c91e
SSDEEP:	6144:cYa6FhyPsCD05Fo1/atIU3jNJ7CIzAlb5Eyy77XEwPBkbCt:cYve1/OIMB1RzAlb8zE08C
TLSH:	DE84BFA63F19CC11C39094FD6621E1E999B56E2027BA8662F3E13F6F756CF427D0D202
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

File Icon


Icon Hash:	d0d4d6ccb2ece8d2

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Athyria Nongrounding6 ", O=Love, L=East Somerton, S=England, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	10/05/2022 23:50:02 10/05/2023 23:50:02
Subject Chain	CN="Athyria Nongrounding6 ", O=Love, L=East Somerton, S=England, C=GB
Version:	3
Thumbprint MD5:	1C850933333AFF3DA0E7F4C963D569F0
Thumbprint SHA-1:	07B50D61787E7BBD1B41CA33E6A1258B648D7650
Thumbprint SHA-256:	1477FB61D72ED9022411300487096BB783B852377EA8078EB9A562BE2CB599E8
Serial:	935DAD340200F0CA

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FC13D437B1Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FC13D437AEAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x28408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5c458	0x19c8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	False	0.656813401442	data	6.41745998719	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.4498046875	data	5.14106681717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	False	0.509765625	data	4.11058212765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2b000	0x27000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x28408	0x28600	False	0.228412828947	data	4.94608860234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x52328	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x62b50	0x94a8	data	English	United States
RT_ICON	0x6bff8	0x5488	data	English	United States
RT_ICON	0x71480	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x756a8	0x25a8	data	English	United States
RT_ICON	0x77c50	0x10a8	data	English	United States
RT_ICON	0x78cf8	0x988	data	English	United States
RT_ICON	0x79680	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x79ae8	0x100	data	English	United States
RT_DIALOG	0x79be8	0x11c	data	English	United States
RT_DIALOG	0x79d08	0x60	data	English	United States
RT_GROUP_ICON	0x79d68	0x76	data	English	United States
RT_VERSION	0x79de0	0x2e4	data	English	United States
RT_MANIFEST	0x7a0c8	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Version Infos

Description	Data
LegalCopyright	Triad Hospitals Inc
FileVersion	22.18.23
CompanyName	Lawson Software
LegalTrademarks	R.J. Reynolds Tobacco Company
Comments	Tecumseh Products Company
ProductName	Bell Microproducts Inc.
FileDescription	Rohm & Haas Co.
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2022 10:27:12.100692034 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.100784063 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.100961924 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.129106998 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.129131079 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.153850079 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.154047966 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.271070957 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.271826029 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.271997929 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.275578022 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.318500042 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.461464882 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.461642027 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.461692095 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.461833000 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.461944103 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.462421894 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.462579012 CEST	443	49760	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.462965012 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.463004112 CEST	49760	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.942066908 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.942145109 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.942429066 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.942828894 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.942881107 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.965676069 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:12.965854883 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.966177940 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.966311932 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:12.966557026 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.138885975 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.139060974 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.139090061 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.139266014 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.139350891 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.139537096 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.139574051 CEST	443	49761	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.139782906 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.139801979 CEST	49761	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.258728027 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.258807898 CEST	443	49762	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.259001017 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.259418964 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.259471893 CEST	443	49762	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.283235073 CEST	443	49762	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.283427954 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.283845901 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.283991098 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.284178972 CEST	443	49762	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.457360029 CEST	443	49762	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.457551956 CEST	443	49762	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.457587957 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.457706928 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.457906008 CEST	49762	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.457946062 CEST	443	49762	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.587097883 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.587212086 CEST	443	49763	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.587424040 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.587825060 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.587893963 CEST	443	49763	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.611557007 CEST	443	49763	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.611768007 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.613440037 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.614147902 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.614281893 CEST	443	49763	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.792226076 CEST	443	49763	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.792412996 CEST	443	49763	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.792467117 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.792570114 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.792824030 CEST	49763	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.792876005 CEST	443	49763	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.916237116 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.916349888 CEST	443	49764	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.916575909 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.916840076 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.916887999 CEST	443	49764	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.940315962 CEST	443	49764	162.159.129.233	192.168.11.20
May 11, 2022 10:27:13.940498114 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.940912962 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.941097975 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:13.941289902 CEST	443	49764	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.103734016 CEST	443	49764	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.103991032 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.104003906 CEST	443	49764	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.104191065 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.104257107 CEST	49764	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.104327917 CEST	443	49764	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.227530956 CEST	49765	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.227643013 CEST	443	49765	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.227904081 CEST	49765	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.228355885 CEST	49765	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.228410006 CEST	443	49765	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.253670931 CEST	443	49765	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.253936052 CEST	49765	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.254295111 CEST	49765	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.254498959 CEST	49765	443	192.168.11.20	162.159.129.233
May 11, 2022 10:27:14.254690886 CEST	443	49765	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.418869972 CEST	443	49765	162.159.129.233	192.168.11.20
May 11, 2022 10:27:14.419044018 CEST	49765	443	192.168.11.20	162.159.129.233

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2022 10:27:12.080164909 CEST	192.168.11.20	1.1.1.1	0x477c	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 11, 2022 10:27:12.090205908 CEST	1.1.1.1	192.168.11.20	0x477c	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
May 11, 2022 10:27:12.090205908 CEST	1.1.1.1	192.168.11.20	0x477c	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
May 11, 2022 10:27:12.090205908 CEST	1.1.1.1	192.168.11.20	0x477c	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
May 11, 2022 10:27:12.090205908 CEST	1.1.1.1	192.168.11.20	0x477c	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
May 11, 2022 10:27:12.090205908 CEST	1.1.1.1	192.168.11.20	0x477c	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)

Target ID:	2
Start time:	10:26:46
Start date:	11/05/2022
Path:	C:\Users\user\Desktop\EPAYMENT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EPAYMENT.exe"
Imagebase:	0x400000
File size:	384544 bytes
MD5 hash:	9811D64E29EF53E107F9379526CFD338
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.226641346384.0000000003278000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: CasPol.exePID: 2376, Parent PID: 1976

General

Target ID:	9
Start time:	10:27:01
Start date:	11/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EPAYMENT.exe"
Imagebase:	0x610000
File size:	106496 bytes
MD5 hash:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: CasPol.exePID: 6908, Parent PID: 1976

General

Target ID:	10
Start time:	10:27:01
Start date:	11/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EPAYMENT.exe"
Imagebase:	0xbb0000
File size:	106496 bytes
MD5 hash:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.230879622484.0000000000F90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000000.225982150371.0000000000F90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: conhost.exePID: 7164, Parent PID: 6908

General

Target ID:	11
Start time:	10:27:01
Start date:	11/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75fc90000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EPAYMENT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ArmouryCrate.AppServiceBridge.exe

C:\Users\user\AppData\Local\Temp\NeroCmd.exe

C:\Users\user\AppData\Local\Temp\Nysene7.Bru4

C:\Users\user\AppData\Local\Temp\a1.exe

C:\Users\user\AppData\Local\Temp\audio-x-generic.png

C:\Users\user\AppData\Local\Temp\camera-photo.png

C:\Users\user\AppData\Local\Temp\libtclsqlite3.dll

C:\Users\user\AppData\Local\Temp\list-drag-handle-symbolic.svg

C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsm2F8C.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
EPAYMENT.exe