Source: 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: powershell.exe, 00000001.00000002.1886122116.000001F8B0F27000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.m |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A94D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.1849772141.000001F898B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2293008965.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.2322880413.0000000007BFD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000001.00000002.1849772141.000001F898B91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000003.00000002.2293008965.0000000004FF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lBfq |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: msiexec.exe, 00000008.00000003.2252216102.0000000006666000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.go |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A176000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000001.00000002.1849772141.000001F898DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A176000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: msiexec.exe, 00000008.00000002.2294071887.00000000065EA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: msiexec.exe, 00000008.00000002.2294071887.00000000065EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2308451576.0000000021610000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju |
Source: powershell.exe, 00000001.00000002.1849772141.000001F898DB8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5P |
Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5XR |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899026000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: msiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/ |
Source: msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006645000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=17Ed0BzToN3ez5R1ZegL6CXKwX1COgAju&export=download |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899026000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1mVvsIVW7-x9DjCo7uv1ZOoZtTNzVEFB5&export=download |
Source: msiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/fk |
Source: msiexec.exe, 00000008.00000003.2252216102.0000000006659000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2294071887.0000000006660000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/j |
Source: powershell.exe, 00000003.00000002.2293008965.0000000005148000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2322880413.0000000007B59000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000001.00000002.1849772141.000001F899776000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000001.00000002.1880233584.000001F8A8C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2314752191.000000000605D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000001.00000002.1849772141.000001F89A93A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F89A936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1849772141.000001F899022000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212817161.0000000006666000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2212886408.0000000006666000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |