Source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "154.216.17.14:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-KC5V8F", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.216.17.14 |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: powershell.exe, 0000000A.00000002.1643140338.0000000006F40000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microB |
Source: powershell.exe, 0000000A.00000002.1643140338.0000000006FA3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoftmB4 |
Source: powershell.exe, 00000008.00000002.1447424610.000001B5ECA6B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.v |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287009699.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287632062.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1283851081.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300950781.000001C352045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301818193.000001C352048000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabg |
Source: wscript.exe, 00000002.00000003.1286829168.000001C353F71000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/w |
Source: wscript.exe, 00000002.00000003.1286738829.000001C35205E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287735795.000001C352086000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d32349b469 |
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D6052000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ln6b9.shop |
Source: msiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.bin# |
Source: msiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.binq |
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32P |
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32XR |
Source: powershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D51BF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |