Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 03:30 UTC

General

  • Target

    rpayment.scr.exe

  • Size

    701KB

  • MD5

    e7bbeae6c391accd957b6475dd5f0e63

  • SHA1

    9460741f8eaff856a8163ad5a22c68dd24a0595e

  • SHA256

    2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7

  • SHA512

    83feec2439997a2b9f7a2ae67966d7ab831d8eb9d8d8836746223b05c73e45e48cce3fc5d6ba420907e3c279ae2916d734b366829404786936cb93bc567f18d8

  • SSDEEP

    12288:LR3BUIa3RVtFRe5L7lwvIuBUz3D46l0xFXc3gIwEL:V3GIQHY5vlI7Mnl0Pg73L

Malware Config

Extracted

Family

remcos

Botnet

Host-2

C2

176.65.142.14:6060

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-HM3EZ8

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Detected Nirsoft tools 4 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Uses browser remote debugging 2 TTPs 1 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\rpayment.scr.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Program Files\Google\Chrome\Application\Chrome.exe
        --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
        3⤵
        • Uses browser remote debugging
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Program Files\Google\Chrome\Application\Chrome.exe
          "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6429758,0x7fef6429768,0x7fef6429778
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • C:\Program Files\Google\Chrome\Application\Chrome.exe
          "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1148 --field-trial-handle=1016,i,1795480744902545178,16705743817957832347,131072 --disable-features=PaintHolding /prefetch:8
          4⤵
            PID:2544
        • C:\Windows\SysWOW64\recover.exe
          C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybwfazcdncdywatdimovkgf"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1712
        • C:\Windows\SysWOW64\recover.exe
          C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\jvbxbsnxbkwdgohhrwaxvtrqcc"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2816
        • C:\Windows\SysWOW64\recover.exe
          C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\lyoqtcxypsoqiudlihnyygmhlqmol"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:580

    Network

    • flag-us
      DNS
      drive.google.com
      rpayment.scr.exe
      Remote address:
      8.8.8.8:53
      Request
      drive.google.com
      IN A
      Response
      drive.google.com
      IN A
      172.217.16.238
    • flag-us
      DNS
      drive.google.com
      rpayment.scr.exe
      Remote address:
      8.8.8.8:53
      Request
      drive.google.com
      IN A
    • flag-gb
      GET
      https://drive.google.com/uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y
      rpayment.scr.exe
      Remote address:
      172.217.16.238:443
      Request
      GET /uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
      Host: drive.google.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 303 See Other
      Content-Type: application/binary
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Fri, 28 Mar 2025 03:30:35 GMT
      Location: https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download
      Strict-Transport-Security: max-age=31536000
      Content-Security-Policy: script-src 'nonce-eVxZgJRz2wn9dIStYL_lHw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
      Cross-Origin-Opener-Policy: same-origin
      Server: ESF
      Content-Length: 0
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      c.pki.goog
      rpayment.scr.exe
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.179.227
    • flag-gb
      GET
      http://c.pki.goog/r/r1.crl
      rpayment.scr.exe
      Remote address:
      142.250.179.227:80
      Request
      GET /r/r1.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 854
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Fri, 28 Mar 2025 03:02:08 GMT
      Expires: Fri, 28 Mar 2025 03:52:08 GMT
      Cache-Control: public, max-age=3000
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
      Age: 1707
    • flag-us
      DNS
      o.pki.goog
      rpayment.scr.exe
      Remote address:
      8.8.8.8:53
      Request
      o.pki.goog
      IN A
      Response
      o.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.179.227
    • flag-gb
      GET
      http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDx560%2FLqy01BCQNkH7kIyt
      rpayment.scr.exe
      Remote address:
      142.250.179.227:80
      Request
      GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDx560%2FLqy01BCQNkH7kIyt HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: o.pki.goog
      Response
      HTTP/1.1 200 OK
      Server: ocsp_responder
      Content-Length: 472
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Date: Fri, 28 Mar 2025 02:52:17 GMT
      Cache-Control: public, max-age=14400
      Content-Type: application/ocsp-response
      Age: 2298
    • flag-gb
      GET
      http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D
      rpayment.scr.exe
      Remote address:
      142.250.179.227:80
      Request
      GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: o.pki.goog
      Response
      HTTP/1.1 200 OK
      Server: ocsp_responder
      Content-Length: 471
      X-XSS-Protection: 0
      X-Frame-Options: SAMEORIGIN
      Date: Fri, 28 Mar 2025 02:37:47 GMT
      Cache-Control: public, max-age=14400
      Content-Type: application/ocsp-response
      Age: 3169
    • flag-us
      DNS
      drive.usercontent.google.com
      rpayment.scr.exe
      Remote address:
      8.8.8.8:53
      Request
      drive.usercontent.google.com
      IN A
      Response
      drive.usercontent.google.com
      IN A
      142.250.180.1
    • flag-gb
      GET
      https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download
      rpayment.scr.exe
      Remote address:
      142.250.180.1:443
      Request
      GET /download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
      Connection: Keep-Alive
      Cache-Control: no-cache
      Host: drive.usercontent.google.com
      Response
      HTTP/1.1 200 OK
      X-GUploader-UploadID: AKDAyIv_sn-ssoSAKDBcbOu_KU-IE777SIwHyQnz2LQQNsTclwb6ZpiYtfa992pqI67gzA3i
      Content-Type: application/octet-stream
      Content-Security-Policy: sandbox
      Content-Security-Policy: default-src 'none'
      Content-Security-Policy: frame-ancestors 'none'
      X-Content-Security-Policy: sandbox
      Cross-Origin-Opener-Policy: same-origin
      Cross-Origin-Embedder-Policy: require-corp
      Cross-Origin-Resource-Policy: same-site
      X-Content-Type-Options: nosniff
      Content-Disposition: attachment; filename="uHLUnXmjfyIlwDwXtFc113.bin"
      Access-Control-Allow-Origin: *
      Access-Control-Allow-Credentials: false
      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-Youtube-Client-Version, X-Youtube-Lava-Device-Context, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Label, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-Bot-Info, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
      Accept-Ranges: bytes
      Content-Length: 498752
      Last-Modified: Fri, 28 Mar 2025 00:04:31 GMT
      Date: Fri, 28 Mar 2025 03:30:39 GMT
      Expires: Fri, 28 Mar 2025 03:30:39 GMT
      Cache-Control: private, max-age=0
      X-Goog-Hash: crc32c=WiBzVw==
      Server: UploadServer
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      geoplugin.net
      rpayment.scr.exe
      Remote address:
      8.8.8.8:53
      Request
      geoplugin.net
      IN A
      Response
      geoplugin.net
      IN A
      178.237.33.50
    • flag-nl
      GET
      http://geoplugin.net/json.gp
      rpayment.scr.exe
      Remote address:
      178.237.33.50:80
      Request
      GET /json.gp HTTP/1.1
      Host: geoplugin.net
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      date: Fri, 28 Mar 2025 03:30:43 GMT
      server: Apache
      content-length: 954
      content-type: application/json; charset=utf-8
      cache-control: public, max-age=300
      access-control-allow-origin: *
    • flag-us
      DNS
      www.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      23.192.18.101
    • flag-gb
      GET
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      Remote address:
      23.192.18.101:80
      Request
      GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1078
      Content-Type: application/octet-stream
      Content-MD5: HqJzZuA065RHozzmOcAUiQ==
      Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
      ETag: 0x8DD34DBD43549F4
      x-ms-request-id: 90d94cda-601e-004e-55c9-667962000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Fri, 28 Mar 2025 03:31:06 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV2b304c38.0
      ms-cv-esi: CASMicrosoftCV2b304c38.0
      X-RTag: RT
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
      Response
      crl.microsoft.com
      IN CNAME
      crl.www.ms.akadns.net
      crl.www.ms.akadns.net
      IN CNAME
      a1363.dscg.akamai.net
      a1363.dscg.akamai.net
      IN A
      2.19.252.157
      a1363.dscg.akamai.net
      IN A
      2.19.252.143
    • flag-gb
      GET
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      Remote address:
      2.19.252.157:80
      Request
      GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 26 Sep 2024 02:21:11 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 825
      Content-Type: application/octet-stream
      Content-MD5: O14L1mQEVqdJ2RVebBNXJw==
      Last-Modified: Wed, 26 Feb 2025 21:48:51 GMT
      ETag: 0x8DD56AF5BD2A499
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: 42091eff-701e-0052-4a9a-882b02000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Fri, 28 Mar 2025 03:31:06 GMT
      Connection: keep-alive
    • 172.217.16.238:443
      https://drive.google.com/uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y
      tls, http
      rpayment.scr.exe
      1.4kB
      8.7kB
      13
      12

      HTTP Request

      GET https://drive.google.com/uc?export=download&id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y

      HTTP Response

      303
    • 142.250.179.227:80
      http://c.pki.goog/r/r1.crl
      http
      rpayment.scr.exe
      348 B
      1.7kB
      5
      4

      HTTP Request

      GET http://c.pki.goog/r/r1.crl

      HTTP Response

      200
    • 142.250.179.227:80
      http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D
      http
      rpayment.scr.exe
      836 B
      2.4kB
      8
      5

      HTTP Request

      GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDx560%2FLqy01BCQNkH7kIyt

      HTTP Response

      200

      HTTP Request

      GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEAtphStRphWCCu97iO6vuXk%3D

      HTTP Response

      200
    • 142.250.180.1:443
      https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download
      tls, http
      rpayment.scr.exe
      11.1kB
      534.8kB
      223
      389

      HTTP Request

      GET https://drive.usercontent.google.com/download?id=18tpMXWMaHqKIsoy08Gq3a7rKUblJL8-y&export=download

      HTTP Response

      200
    • 176.65.142.14:6060
      tls
      rpayment.scr.exe
      3.8kB
      1.9kB
      15
      17
    • 176.65.142.14:6060
      tls
      rpayment.scr.exe
      34.5kB
      722.1kB
      300
      538
    • 176.65.142.14:6060
      tls
      rpayment.scr.exe
      104.1kB
      84.4kB
      118
      94
    • 176.65.142.14:6060
      tls
      rpayment.scr.exe
      976 B
      864 B
      7
      5
    • 178.237.33.50:80
      http://geoplugin.net/json.gp
      http
      rpayment.scr.exe
      675 B
      2.5kB
      13
      4

      HTTP Request

      GET http://geoplugin.net/json.gp

      HTTP Response

      200
    • 127.0.0.1:9222
      rpayment.scr.exe
    • 23.192.18.101:80
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      http
      393 B
      1.7kB
      4
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

      HTTP Response

      200
    • 2.19.252.157:80
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      http
      457 B
      2.8kB
      5
      5

      HTTP Request

      GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

      HTTP Response

      200
    • 8.8.8.8:53
      drive.google.com
      dns
      rpayment.scr.exe
      124 B
      78 B
      2
      1

      DNS Request

      drive.google.com

      DNS Request

      drive.google.com

      DNS Response

      172.217.16.238

    • 8.8.8.8:53
      c.pki.goog
      dns
      rpayment.scr.exe
      56 B
      107 B
      1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.179.227

    • 8.8.8.8:53
      o.pki.goog
      dns
      rpayment.scr.exe
      56 B
      107 B
      1
      1

      DNS Request

      o.pki.goog

      DNS Response

      142.250.179.227

    • 8.8.8.8:53
      drive.usercontent.google.com
      dns
      rpayment.scr.exe
      74 B
      90 B
      1
      1

      DNS Request

      drive.usercontent.google.com

      DNS Response

      142.250.180.1

    • 8.8.8.8:53
      geoplugin.net
      dns
      rpayment.scr.exe
      59 B
      75 B
      1
      1

      DNS Request

      geoplugin.net

      DNS Response

      178.237.33.50

    • 8.8.8.8:53
      www.microsoft.com
      dns
      63 B
      230 B
      1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      23.192.18.101

    • 8.8.8.8:53
      crl.microsoft.com
      dns
      63 B
      162 B
      1
      1

      DNS Request

      crl.microsoft.com

      DNS Response

      2.19.252.157
      2.19.252.143

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\metadata

      Filesize

      114B

      MD5

      cc5fc5f0121b4cdc58681c0858a4d37a

      SHA1

      5b9e0e43af198057cfce8f422bd7769dcc9523bd

      SHA256

      4c38ae1467dfa863d31ad1112049cd8b71d568d77b7b6a646a8f1c8e414db033

      SHA512

      b6dc7dd5c42fb8ac36467289bca6b119774d51860b88ceef948885fcb7687980e779951edb81f7a7fcb8256baf338203fe3f2f92a8131ab313379f9cfe7aaac5

    • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\reports\f49638ce-a56b-49cd-bac1-1ad3de0f4486.dmp

      Filesize

      566KB

      MD5

      e43e101c9626fe58795767137e7c1218

      SHA1

      fc923dc1b701675eeb033d1241f4a3192e47c86a

      SHA256

      13bdbed9923529ab9ce17b51f83405a4fc46115c809d0b5c87d3c4a18ef86003

      SHA512

      b972991f88d28d0388e780db9b41d78eae1c2cef68f2cac506fe5c7412162367ec28e4c17876771b55aedfc5eb6708acb9e57d2bf1cfc78f1fece5de131a035f

    • C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

      Filesize

      40B

      MD5

      bf6ce6ac72dde4a5ec864bd19454f34f

      SHA1

      817f6e4fceb3c6a0acc1376ca05276fd4d52603e

      SHA256

      e75dceb36299e3a41c7d425da6fc2a8a7c281f5d5caead8250de7e2cf207556d

      SHA512

      67af8f3fd1c2445e4357f42c9fc3fe15cbbe3ffea8538d7ea76d75f41e9dfcd34d1aeb4362051d83ac8768d699c7e0912ba2bf8eaa0de7aba5af38843d0979df

    • C:\Users\Admin\AppData\Local\Temp\ybwfazcdncdywatdimovkgf

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • \Users\Admin\AppData\Local\Temp\nso7447.tmp\System.dll

      Filesize

      11KB

      MD5

      a436db0c473a087eb61ff5c53c34ba27

      SHA1

      65ea67e424e75f5065132b539c8b2eda88aa0506

      SHA256

      75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

      SHA512

      908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

    • memory/308-20-0x0000000077A50000-0x0000000077BF9000-memory.dmp

      Filesize

      1.7MB

    • memory/308-19-0x0000000077A51000-0x0000000077B52000-memory.dmp

      Filesize

      1.0MB

    • memory/308-18-0x0000000004470000-0x0000000005609000-memory.dmp

      Filesize

      17.6MB

    • memory/580-84-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/580-82-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/580-83-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/1712-67-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

    • memory/1712-78-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

    • memory/2780-55-0x0000000033470000-0x00000000334A4000-memory.dmp

      Filesize

      208KB

    • memory/2780-104-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-112-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-111-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-54-0x0000000033470000-0x00000000334A4000-memory.dmp

      Filesize

      208KB

    • memory/2780-51-0x0000000033470000-0x00000000334A4000-memory.dmp

      Filesize

      208KB

    • memory/2780-49-0x00000000014F0000-0x0000000002689000-memory.dmp

      Filesize

      17.6MB

    • memory/2780-110-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-48-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-44-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-22-0x0000000077A50000-0x0000000077BF9000-memory.dmp

      Filesize

      1.7MB

    • memory/2780-21-0x00000000014F0000-0x0000000002689000-memory.dmp

      Filesize

      17.6MB

    • memory/2780-95-0x0000000032920000-0x0000000032939000-memory.dmp

      Filesize

      100KB

    • memory/2780-98-0x0000000032920000-0x0000000032939000-memory.dmp

      Filesize

      100KB

    • memory/2780-99-0x0000000032920000-0x0000000032939000-memory.dmp

      Filesize

      100KB

    • memory/2780-100-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-101-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-102-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-103-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-109-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-105-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-106-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-107-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2780-108-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2816-80-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2816-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2816-77-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2816-79-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.