Source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: powershell.exe, 00000002.00000002.2381359043.000001D36D530000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DBC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lBcq |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301D7E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300228000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2758015392.0000000021600000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y |
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y3 |
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y3$ |
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Yv |
Source: powershell.exe, 00000002.00000002.2343774310.000001D300228000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1P |
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1XR8l |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googhp |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300495000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: msiexec.exe, 00000008.00000003.2698660494.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2662532062.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/ |
Source: msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064B8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300495000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download |
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301459000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |